4 September, 2015
What you need to know
- The Australian Prudential Regulatory Authority (APRA) released an information paper on 6 July 2015 entitled Outsourcing involving shared computer services (including cloud).
- The paper is the newest addition to an existing suite of APRA prudential standards and practice guides on outsourcings for the finance services and insurance industries.
What you need to do
- Regulated users should impose technological and contractual protections commensurate with the nature, usage and risk of the outsourced Shared Computer Service.
- APRA reports that weak risk management practices mean the public cloud is not suitable yet for financial sector usages as there would be an extreme impact if disrupted.
- Regulated users need to consider how to incorporate APRA’s guiding principles into outsourcing contracts for Shared Computer Services.
Like a fine wine, the Shared Computer Services market is maturing with age. Providers and users are recognising the ‘one-size-fits-all’ approach is not appropriate in all circumstances and, at best, should only be used for low-value, standardised, commodity services on multi-tenanted infrastructure. Technology offerings and contract terms are being tailored more and more to reflect service usage requirements and associated risks.
APRA is encouraging the evolution – as evidenced, most recently, in its paper of 6 July entitled Outsourcing involving shared computer services (including cloud). For the purposes of the paper, ‘Shared Computer Services’ means IT assets including software and infrastructure, such as data centre facilities, server environments and data storage, that are not dedicated to any particular user and are shared by a variety of users across a range of industries.
The message from APRA is clear: risk mitigation is paramount in financial sector outsourcing arrangements. The makeup of Shared Computer Services can mean users have less control and assume more risk than in traditional outsourcings.
APRA’s paper identifies key risks associated with outsourcing involving Shared Computer Services and sets out prudent practices that regulated users can employ to address those risks.
In the paper, APRA takes a relatively flexible approach to regulating outsourcing involving Shared Computer Services. This is fitting given the adaptable nature of Shared Computer Services. The approach should enable regulated users to realise the benefits cloud and other shared services can bring, such as rapid deployment, high scalability and competitive pricing.
Of course, certain risks can be too dangerous. APRA observes that current risk management and mitigation techniques mean the public cloud is not suitable at this stage for service usages having an extreme risk if disrupted. A similar stance has been taken by financial regulators in other jurisdictions.
APRA’s paper explains that prudent practices vary depending on the nature, usage and risk profile of the Shared Computing Services. As risk increases, so should the degree of caution and supervisory interest exercised by the user. APRA categorises risks as:
Category of risk
Example: shared infrastructure hosting applications and data stores with low criticality and sensitivity; and test environments.
Heightened inherent risk
Arrangements involving highly critical and/or sensitive IT assets that result in an increased likelihood of a disruption or where disruption could cause a significant impact (eg, financial and/or reputational impact).
Example: untrusted environments; public cloud shared with non-financial industry entities; and unproven track records.
Arrangements that would have an extreme impact if disrupted, such as hosting systems of records that hold information essential to determining obligations to customers.
Example: current balance/benefits and transaction history.
APRA encourages prior consultation for shared services involving ‘heightened inherent risk’. As above, it dissuades the use of public cloud arrangements for ‘extreme risk’ service usages.
Prudent practices when outsourcing involves Shared Computer Services
APRA’s paper states that, when an outsourcing involves Shared Computer Services, prudent practices would normally include a well-considered strategy, effective governance arrangements, a rigorous selection process, appropriately addressing IT risk (including security and recovery), an efficient system to manage the provider, business disruption planning, comprehensive transition services and adequate assurance mechanisms.
A well-considered strategy
In its paper, APRA warns against making decisions based on cost alone. Business cases and board reports need to provide
adequate visibility of risks as well as benefits. The business and technology strategies, and the broader IT environment, should inform the selection and use of any Shared Computer Services.
Effective governance arrangements
The paper observes that the governance framework should outline decision making and oversight responsibilities. An appropriate governance authority should receive all information necessary, both at the outset and on a continuing basis, and conduct sufficient due diligence to enable it to assess the adequacy of risk and control frameworks against the Board’s risk appetite.
A rigorous selection process
APRA is keen to ensure that risk is minimised wherever possible. Users are advised to conduct a comprehensive due diligence (and not rely on attestations from providers) commensurate with the criticality and sensitivity of the IT assets. To reduce inherent risk, the regulator recommends using Australian hosted options (unless there is compelling business rationale) and sourcing a Shared Computer Service that has been used by parties with comparable security requirements, risk profiles and risk appetites (such as other financial sector entities).
Addressing IT risk
The paper advocates for users to conduct detailed risk assessments initially, periodically and on material change, with the level of thoroughness corresponding with the usage and nature of the Shared Computer Service. The assessments should deal with a number of matters, including:
- the ability of the Shared Computer Service to meet performance and other business requirements;
- the criticality and sensitivity of IT assets, and the sensitivity of data, that are accessible from the Shared Computer Service and controls to protect against security incidents including unauthorised activity (eg, by encrypting data in transit and at rest);
- transition-in and exit arrangements; and
- resilience, plausible disruption scenarios and the disaster recovery environment The strength of the control environment must match the risks involved.
We would expect users to involve their security, risk, legal and compliance functions to assist with identifying the different risk tolerances for different workloads and assessing whether the service suits the risk profile and operational requirements.
An efficient system to manage the provider
The paper asserts that users should be pro-active in managing the provider. For example, they should assess performance against service levels, receive information (eg, incidents) on a regular basis to enable effective oversight, and require access to the provider’s information and personnel in various scenarios.
‘APRA’s paper asserts that users should be pro-active in managing the provider.’
Business disruption planning
Continuity of service is referenced as being a key concern for users. When considering resilience, our view is that providers need to assume services will fail and build in resilience (instead of assuming systems will always be available and services will not be allowed to fail).
Reliance on resilience alone would not be sufficient, which is a point also noted by APRA. APRA urges users to consider point-in-time recovery capability. This includes having a clear understanding, when a disruption event occurs, of roles and responsibilities, the state to which the Shared Computer Service will be recovered, the security control environment of the alternate site, and any impact on the back-up service. The recovery plan and strategies should be tested regularly including
to ensure there is no risk of the same event impacting both the production and recovery environments.
Comprehensive transition services
APRA’s paper recommends that users, as part of planning the IT environment, consider transition from the current state to the desired operating model. When transitioning-in to the Shared Computer Service, users should take a cautious and measured approach (eg, pilot with low risk initiatives and have clear go/no go-criteria for each stage) and not adopt a ‘fast track’ transition.
In our experience, an important issue for many users is what will happen to their data after the relationship with the provider comes to an end. The user will need to be able to access the data to retrieve it for use elsewhere, so will require assurance that the data can be recovered in a managed fashion and in a usable format. The amount of time allowed to retrieve data needs to be sufficient. Lock-in or dependence risk can also arise in relation to applications, virtual machine (also referred to as ‘VM’) and interoperability. It can be sensible to verify portability using test data and applications before contracting for shared services, rather than taking the risk of contracting assurances on portability proving untrue and leaving the user with no practical ability to retrieve its data.
We also see secure and complete data deletion as a concern, particularly for financial institutions. Different degrees of ‘deletion’ tend to exist in the cloud and remaining fragments of ‘deleted’ data can be an issue, particularly if intelligible or reunitable. Generally, deletion can tend to be as much a financial as a technical issue.
Adequate assurance mechanisms
The paper recommends users obtain regular assurance that the risk and control frameworks are designed and operate effectively to manage the risks associated with the Shared Computer Service. APRA acknowledges the challenge of balancing the needs of multiple customers with the practicalities of not over-burdening the provider and suggests a collaborative assurance model, where assurance work is designed to meet the needs of a various customers, might assist. Assurance testing is proposed where a user has been unable to enforce its security policy.
Our view is similar to APRA’s, namely that there is scope for highly regulated sectors, such as the financial services industry, to develop community based clouds based on shared but segregated infrastructure. Some clouds could be designed to enable compliance with regulatory obligations by permitting independent audits of the whole infrastructure and system (rather than per user) to industry standards and by sharing the results with regulators. This may help abate providers’ concerns that excessive transparency about the security of shared infrastructure can itself compromise security.
Contract terms should be proportional to the nature, usage and risk of the Shared Computer Service. Bigger users, particularly from regulated industries, are negotiating more and some even require contracts to be on their standard terms. If adopting this approach, users are advised to ensure standard terms are cloud-appropriate and adequately address the key principles raised by APRA in its paper.
Shared Computer Service risks can be managed through technological and contractual means, including contemporary means such as using integrators (who, by spreading risk across users and taking a pragmatic approach to aggregated risk, can often give contractual assurances regarding liability, service standards, support, and backup that are not attainable from the provider) and through insurance.
There may even be scope for financial institutions to collaborate on producing suitable and balanced terms for Shared Computing Services in consultation with providers, subject of course to competition law restrictions.
Providers who contract on their terms of service would be well advised to conduct a regulatory audit of those terms (and contracts with sub-providers) in light of APRA’s recent guidelines and being mindful of the need for regulated users to be compliant.
For further information, please contact:
Robert Todd, Partner, Ashurst