Yes. 

Australian Prudential Regulation Authority ("APRA") Prudential Standards and Guidance

Several mandatory Prudential Standards apply to entities regulated by the APRA, such as authorized deposit-taking institutions, superannuation funds and insurers (APRA-regulated entities). The Prudential Standards contain requirements relevant to outsourcing and data security. For example, banking, insurance and life insurance APRA-regulated entities are subject to Prudential Standard CPS 231 on Outsourcing ("CPS 231"). CPS 231 requires that outsourcing of "material business activities" be subject to appropriate due diligence, approval and ongoing monitoring. The APRA has also provided the following related guidance:

• Prudential Practice Guide PPG 231 — Outsourcing, which indicates the APRA's view of sound practices for outsourcing and provides guidance on the implementation of CPS 231 (e.g., the usual content of the minimum contractual provisions for an outsourcing agreement)
• Information Paper on Outsourcing Involving Cloud Computing Services, which outlines the APRA's expectations when applying the above requirements in a cloud computing context

Readers should note that a draft Prudential Standard CPS 230 on Operational Risk Management, which is intended to replace a range of prudential standards including CPS 231 from 2024, was the subject of consultation with industry stakeholders in 2022 and is planned to take effect from 2024.

There are also other Prudential Standards and guidance relating to information security risks that would be relevant when engaging a cloud services provider, primarily:

• Prudential Standard CPS 220 on Risk Management — with additional guidance in Prudential Practice Guide CPG 220 on Risk Management
• Prudential Standard CPS 234 on Information Security — with additional guidance in Prudential Practice Guide CPG 234 on Information Security
• Prudential Practice Guide CPG 235 on Managing Data Risk — with additional guidance in Prudential Practice Guide CPG 235 on Managing Data Risk.

Australian Securities and Investments Commission ("ASIC") requirements

Entities that are Australian financial services licensees and Australian credit licensees will need to comply with the ASIC policy on the requirements for outsourcing to ensure they meet the competency requirements of their license conditions.

Additionally, from 10 March 2023, financial markets and participants of such markets are subject to updated ASIC market integrity rules containing enhanced technological and operational resilience requirements, including in relation to outsourcing.

Exchange rules

Entities that are participants with the Australian Securities Exchange ("ASX") and ASX Clear (the clearinghouse for all shares, structured products, warrants and ASX equity derivatives) will be subject to the ASX Operating Rules and ASX Clear Operating Rules, which include various requirements, including an obligation to notify the ASX in writing about details of material offshoring and outsourcing arrangements in respect of business activity conducted as a participant.