Financial services and insurance (FSI) industry firms must maintain “credible” business continuity plans and “appropriate and sound” IT infrastructure to manage cyber or other potentially disruptive incidents, new APRA risk management guidelines have mandated.
In development since last year, the new Prudential Standard CPS230 includes a range of measures designed to boost the resilience of companies operating in the sector, which APRA regulates with an eye towards anticipating and managing the risks present in everything a business does.
To ensure they don’t get caught off guard by a data breach or other unexpected incident, CPS230 requires APRA-regulated entities to plan ahead by implementing “effective internal controls, monitoring and remediation” capable of helping them identify, assess and manage operational risks from “inadequate or failed internal processes or systems, the actions or inactions of people, or external drivers and events”.
This means regulated entities must not only develop a viable business continuity plan capable of ensuring banking and other services remain accessible after “severe disruptions”, but actively evaluate the risk management practices of key service providers – with formal agreements and “robust monitoring” to ensure that regulated entities aren’t exposed to risk from less prepared third parties.
This includes documenting all “processes and resources” involved in delivering critical operations – including people, technology, information, facilities and service providers, the interdependencies across them, and the associated risks, obligations, key data, and controls.
Businesses of all kinds rely on third-party service providers to support their operations, but unknown weaknesses in those companies’ security practices have frequently been exploited by cyber criminals – as recently happened to the likes of British Airways, Deakin University, and Medibank.
Recognising the potentially disastrous consequences if such a compromise were to hit an Australian bank or other FSI firm, APRA warned that a regulated business must conduct a “comprehensive risk assessment” before using third-party services and “must not rely on a service provider unless it can ensure that in doing so, it can continue to meet its prudential obligations in full, and effectively manage the associated risks.”
An obligation to keep IT current
APRA is also cracking down on outdated IT systems, warning that regulated companies are required to maintain “appropriate and sound” IT infrastructure to meet current and projected business requirements, and to “monitor the age and health of its IT infrastructure” to ensure cyber security maintains effective.
In addition to keeping core systems current, CPS230 requires businesses to maintain “appropriate and effective information systems to monitor operational risk, compile and analyse operational risk data and facilitate reporting to the Board and senior management” – a nod to the increasingly common operational dashboards and purpose-built risk scoring tools such as Rapid7’s recently released Executive Risk View.
“Disruptions to financial services can cause a major detrimental impact to the people who rely on them to pay bills, recover from financial loss or support themselves in retirement,” APRA chair John Lonsdale said in announcing the new standard, on which the agency is accepting feedback through 13 October in anticipation of its taking effect on 1 July 2025.
The need for the new regulations had become evident after “a number of recent operational risk control failures and disruptions, including material cyber breaches,” Lonsdale noted.
“We expect regulated entities to be proactive in preparing for implementation,” he continued, “rather than waiting until the last minute to get ready to meet the new requirements.”
Upping the ante on risk management
The new mandate is the latest in a series of efforts by APRA to force its more than 300 regulated entities to get serious about ensuring the sector – which is one of eleven industries designated by the government as critical infrastructure sectors – prepares itself to manage the threat of cyber security and other compromises.
A recent audit showed just how much work the industry has to do to make itself cyber secure, with APRA recently flagging the “inadequate” cyber security of Australian FSI firms after the first stage of an ongoing audit of compliance with the companion Prudential Standard CPS234.
The new requirements of CPS230 will further increase expectations of regulated firms, strengthening the APRA narrative that executives must not only be aware of the risks that cyber attacks pose, but could be held personally liable for breaches.
Triggered by the fallout from last year’s massive Medibank data breach, APRA recently warned that executives could have their compensation cut in the wake of a data breach – echoing the spirit of organisations such as the ACS, which has advocated the floating of potential jail time as a penalty for repeated privacy beaches.