The Australian Prudential Regulation Authority (APRA) has issued guidelines on data risk management for general insurers, and warned them to “think long and hard” before outsourcing data management.

Prudential Practice Guide 235 has been issued as “weaknesses continue to be identified as part of APRA’s ongoing supervision activities”, the regulator says.

It aims “to provide guidance to senior management, risk management, business and technical specialists”.

“The multiple audiences reflect the pervasive nature of data, and the need for sound risk management disciplines and a solid business understanding to effectively manage a regulated entity’s data risk profile,” APRA said.

The guide covers topics such as data management frameworks, staff awareness, the life cycle of captured data and outsourcing.

The regulator warns insurers that outsourcing data management requires caution.

“APRA expects a regulated entity to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to.

“It is important that a regulated entity is fully aware of the risks involved and makes a conscious and informed decision as to whether the additional risks are within its risk appetite.”

The regulator does not expect the guidelines to replace existing industry standards. Instead, it aims to encourage boards and management to treat data as an asset.

“A regulated entity would typically use discretion in adopting whichever industry standards and guidelines it sees fit for purpose in specific control areas.”

The guide is for all financial services entities, including life insurers and banks.