The Australian Prudential Regulation Authority (APRA) has issued a warning over the lack of risk assessment financial institutions are conducting on outsourcing IT cloud services.
APRA is the prudential regulator of Australian financial services industry which encompasses banks, credit unions and insurance companies. Overall it supervises institutions holding around $3.6 trillion in assets, according to APRA.
While the financial services industry has yet to dive head first into IT cloud outsourced services, many are considering introducing such services for more basic computing functions such as emails, instant messaging, workflow collaboration and customer relationship management (CRM) applications, according to APRA.
“Whiles these applications may seem innocuous, the reality is they may form an integral part of an institution’s core business processes, including both approval and decision-making,” the regulator said in a statement. “[They] can be material and critical to the ongoing operations of the institution.”
APRA is urging financial institutions to give greater consideration to customer data security, compliance with legislative and prudential requirements as well as their ability to continue operations should outsourced IT cloud services fail.
Prudential standards apply to outsourcing IT and financial institutions are required to consult with APRA before committing to related arrangements. They are also expected to provide a comprehensive risk assessment on related matters.
“APRA has observed that, to date, assessments of cloud computing proposals typically lack sufficient consideration of these factors,” APRA said in the statement.