APRA released an information paper titled Outsourcing Involving Shared Computer Services (Including Cloud) this week.
The document provides guidance to the industry on the topic, separating shared computing services into ‘low risk’ and ‘heightened inherent risk”.
Examples of low-risk services, according to APRA, are shared facilities with each entity’s IT assets located on separate hardware and shared infrastructure hosting data that is either “low criticality”, desensitised or publicly available.
Shared computing services with heightened inherent risk include those that have exposure to un-trusted environments; the ‘public cloud’; and arrangements where providers, the shared computing service or the specific usage has an “unproven track record”, said APRA.
Finally, the disruption of shared computing services that host customers’ information can have an “extreme impact”, said the regulator.
But UK and Australia-based cloud-computing wealth management firm PractiFI took exception to APRA’s approach.
“We lament, once again, the misguided nature of APRA’s approach to technology,” said PractiFI co-founder Adrian Johnstone yesterday.
“The regulator seems to be stuck in a time warp, where globalised, multi-tenant technologies are forever trapped as new entrants,” he said.
For the most part, the information in APRA’s new paper is “simple, uncontroversial stuff”, Mr Johnstone said.
“Where it all breaks down, however, is with APRA’s assertion that IT risks are dramatically ramped up when using contemporary outsourced approaches. They just aren’t,” he said.
Contrary to APRA’s assertions, software built by “global technology leaders with active clients in every major market in the world” is much less risky than software coded and tested “by hand” by developers locally.
“The best enterprise cloud solutions are more resilient and lower cost, both of which are massively in the best interests of members,” Mr Johnstone said.
“Understanding risk is a critical component of decision-making. But the inference that globalised, multi-tenant technology is inherently riskier than locally built and hosted systems is nonsense.
“Australia’s wealth industry leads the world in many respects, but it’s not immune to progress. The challenge for APRA is to make sure they don’t create unnecessary barriers to it staying there,” Mr Johnstone said.
