Search

Cybersecurity

Helping clients protect and recover value through proactive cyber risk identification and management, and rapid action in response to a breach.

Financial Crime

Helping clients to manage risk and regulatory compliance and respond to incidents of financial crime.

Forensic

Uncover, analyse and clarify facts at the centre of disputes, frauds and other sensitive commercial matters.

Performance Improvement

Providing advisory and accelerated implementation services to the public and private sector.

Real Estate

We advise on, develop, transact and invest in real estate and infrastructure.

Restructuring

Working with organisations and the public sector to stabilise operations or to recover value on behalf of stakeholders.

Search

About us

We are Asia-Pacific’s trusted advisers in cybersecurity, financial crime, forensic, performance improvement, real estate and restructuring.

Contact us

Our reach is global with offices across Australia, New Zealand, Indonesia and Singapore.

Environmental. Social. Governance.

ESG is a fundamental part of the way we do business. We take tangible action to make a difference for our people, clients, and communities.

20 years

Driven by an entrepreneurial spirit and a different mindset, celebrate the firm’s 20th anniversary.

Search

Cloud computing - why is APRA concerned?

The Australian Prudential Regulation Authority (APRA) is concerned that financial institutions are too optimistic about the benefits of cloud computing and have overlooked the associated risks that exist with these technologies.

Insights Cloud computing - why is APRA concerned?
Thursday, 30 July 2015

APRA, which regulates the financial sector, has released an Information Paper expressing their concerns regarding weaknesses in cloud outsourcing arrangements where IT assets are shared between entities (shared computing services). This is specifically differentiated from those services where IT assets are dedicated to a single entity. APRA states that while this has occurred for many years, there has been an increase in the ‘volume, materiality and complexity’ of these arrangements, including the sharing of software across industries. Its concern is not the maturing technology itself, but what it sees as a lack of commensurate increase in risk management considerations.

 

These concerns do not seem to be shared by Australian businesses. An ABS survey released in July 2015 showed that nearly 60% of companies stated that there were no factors which limited or prevented the use of paid cloud computing. The top five reasons for not adopting paid cloud computing services were:


Top 5 reasons - cloud services
 

Several other weaknesses identified in APRA’s review of these outsourcing arrangements include:

 

  • inadequate consideration of controls to ensure data security
  • limited due diligence and assurance activities undertaken
  • impediments placed on APRA’s access rights to the service provider.

 

Under APRA’s prudential outsourcing standards CPS 231 and SPS 231, regulated entities are required to notify APRA within 20 business days if their material business activities are being outsourced. If outsourcing arrangements are offshore, APRA-regulated institutions are required to consult with APRA prior to entering into these agreements. This is to ensure entities have fully understood and able to address the heightened risks.

 

What makes shared computing services a concern to APRA is not the maturing technology itself, but the lack of risk management and governance to protect the security of the data. In a further sign that this topic may continue to be scrutinised by APRA, earlier this year Bank of Queensland was forced to write off $10 million on their cloud-based customer relationship program system after they failed to meet operational and regulatory requirements.

 

Our Forensic Technology team includes leading computer forensic experts in the Australia and Asia-Pacific region. Whether it be reviewing electronic evidence in an intellectual property theft matter or eDiscovery services, we aim to provide a complete solution for our clients. From the issues raised by APRA, we can see that these risks do not only apply to financial institutions but to all organisations that use shared computer services. As technology continuously evolves, organisations need to constantly weigh up the benefits, be aware of the risks and manage them appropriately.

 

For more information, please contact one of our forensic technology experts.

 

Further reading: