APRA has recently updated their Information Paper on “Outsourcing Involving Cloud Computing Services”.
This was originally published in 2015, with APRA’s perspective commensurate with the emergence of cloud services and technologies.
At the time APRA noted “risk management practices, including risk identification and mitigation techniques, are still maturing for these types of arrangements”. In their current, updated Information Paper, APRA now sees “entities have also improved their management capability and processes for assessing and overseeing the services provided”.
Overall APRA has now expressed a more open stance on cloud usage. However there are still areas of weakness identified as part of APRA’s supervisory activities that regulated entities are expected to address. This translates into 16 new requirements covering continuity of operations, strength of control environments, assurance and audit and APRA’s role and requirements as the regulator.
The key aspect of APRA’s oversight of cloud outsource arrangements remains that risks be understood and managed. The aggregated risk profile should be classified into three broad categories of low, heightened or extreme. Each has a different requirement for APRA’s review and consultation. Regardless of the risk profile, expected practice involves oversight and acceptance of the risks through the organisation’s governance process.
As with most regulations, standards and guidelines, difficulty comes in translating these into pragmatic actions with supporting evidence. This is important with an increased appetite within the financial service industry, towards heightened and extreme risk events such as migrating ‘systems of record’ to the cloud.
The APRA Information Paper can be used as a blueprint to commence your cloud journey towards meeting regulatory requirements. Applying this and our experience assisting over a dozen regulated entities with cloud readiness and APRA approvals, we recommend the following 9 point action plan. This is a good starting point towards cloud readiness and APRA submission for cloud workloads.
Materiality & Risk
Complete a materiality assessment of criticality vs. sensitivity of assets and information in scope. Identify cloud specific risks & controls (~60 risks across 8 cloud domains). The aggregated risk profile should be aligned the organisation’s risk appetite.
Strategy Alignment
Define and approve the cloud/outsource strategy covering both technical and non-technical aspects. Ensure this is aligned to business and broader IT strategies and includes target architectures and target op model.
Governance & Assurance
Define the governance framework of the delivery program and ongoing management of cloud services. Review and accept the solution and risk profile by the Board or approval body. The assurance approach should include an independent audit/assurance of cloud delivery, risk and solution.
Selection & Solution
Complete a vendor assessment and formal selection process and clearly define scope of cloud services, assets and information. Undertake a detailed due diligence of the cloud vendor services – security, technical and operational.
Transition
Plan for a lower risk approach via proof of concepts and initial non material workloads. This is especially important for heightened risk arrangements. Define go/no go criteria and rollback scenarios.
Security and Information Management
Classify all assets and data and apply life cycle controls commensurate with data criticality & sensitivity. Complete detailed security assessments of both the cloud vendor environment and organisation roles. Use a combination of controls, security assessments and testing along with 3rd party attestations.
Resilience
Design a resilience strategy for the cloud solution covering availability, recovery and contingency. Define the contingency approach and plan for vendor failure. Align to existing business continuity plans and test disruption scenarios covering planned and unplanned events.
Operating Model
Design the target operating model ensuring clarity of roles between the organisation and cloud vendor. We recommend implementing a cloud operations RACI (123 detailed cloud operational functions). Define the transition and change management approach to cloud related ‘ways of working’.
Regulatory
Ensure contracts allow for APRA access to information and vendor sites. Complete assessments against all other APRA standards and guidelines that are relative to cloud and outsourcing. Design your APRA engagement and consultation plan ensuring proactive communication adequate evidence.
APRA has defined the expectations of organisations when it comes to consultation with them ultimately towards APRA’s “no objection”. In summary:
Notify APRA prior to entering any arrangements:
- For any offshore arrangements
- For any extreme inherent risk arrangement
Notify APRA prior but after internal governance approvals
- For any heightened inherent risk arrangement
No need to notify APRA
- For any low inherent risk arrangement
In summary, APRA’s updated Information Paper is a good blueprint towards regulatory ‘no objection’ for cloud and outsource arrangements. Ensuring focus on all three aspects of risk management, APRA standards alignment and supporting evidence are key in your APRA journey.
To quote APRA:
“we will seek to ensure that regulated entities risk management and mitigation techniques are sufficiently strong when utilising cloud computing services that involve heightened inherent risk or an extreme impact if disrupted”
For assistance with your cloud outsource readiness and APRA submissions and approval, contact us at Capital Consult.