01/09/2023

APRA continues to make clear its intention to strengthen supervision and step up enforcement of operational and cyber risk management practices and preparedness by banks, insurers and superannuation trustees. These entities should prepare for ongoing regulatory scrutiny and heightened expectations of their ability to rapidly detect control weaknesses and implement responses to cyber incidents.

In a colourful speech, APRA Executive Board Member Therese McCarthy Hockey recently said that the new cross-industry Prudential Standard CPS 230 Operational Risk Management (CPS 230) released last month (read our article 'APRA releases final version of the new cross-industry Prudential Standard CPS 230 Operational Risk Management') is designed to ‘light a fire’ under APRA regulated entities so they act with heightened urgency to emerging operational risks posed by new technologies and innovation and evolving cyber threats.

We recap the key takeaways from McCarthy Hockey’s speech and recent APRA activities in this space.

APRA running out of patience with non-compliance with APRA standards

Hockey described how the operational risk environment has evolved from threats of bank robberies and warehouse fires to breached servers and firewalls, and phishing emails, which have the potential to leave millions of Australians without access to funds and services. This poses a real threat to financial stability and community well-being.

The standards set by CPS 230 ensure APRA-regulated entities are well positioned to address the operational risk management and business continuity challenges of rapid industry change caused by new technologies and innovation, including generative artificial intelligence. The implications for financial stability are being considered by financial regulators globally.

A huge challenge with developing modern operational resilience is the rapid speed of technology and innovation outpacing the ability of entities to manage associated risks. Hockey pointed to recent analysis from the first tranche of APRA’s cyber security stocktake that assessed progress of the financial services sector in meeting APRA’s existing prudential standard on information security (CPS 234). This revealed that many banks, insurers and superannuation trustees are still struggling to meet their minimum requirements.

While APRA understands the evolving nature of cyber threats, which Hockey said left entities ‘constantly firing at moving targets’, against the backdrop of a growing list of cyber incidents, the regulator appears to be rapidly running out of patience with the slow pace of uplift. Entities should expect to see APRA taking strong action.

APRA has observed a long period of insufficient investment by businesses in both cyber security technology and personnel with the necessary skills and experience. But Hockey identified the root cause as really a ‘mindset’ issue where information security is seen by boards as a technology rather overall business risk. By leaving cyber resilience to IT and cyber-security departments, boards are failing to provide proper oversight over the ‘crown jewels’, including the data their organisations (and outsourced service providers) collect and manage.  

Entities should act now to be CPS 230 ready

To close the gap between information security and operational risk, APRA has set a firm deadline of 1 July 2025 for CPS 230 compliance. While the longer implementation period allows time for entities to address compliance gaps observed by APRA, it is very clear from Hockey’s speech that entities should expect scrutiny of their preparedness for the new standards throughout 2024, well before the deadline for compliance.

Hockey highlighted that over the next 12 months, APRA expects boards to focus on three key actions:

  • Putting the right governance arrangements in place: APRA expects boards to ensure robust governance, financial capacity and sufficient resources to successfully implement the requirements of CPS 230.
  • Identifying critical operations and material service providers: these must be identified mid next year and entities are expected to be well positioned to set tolerance levels by the end of 2024. APRA also expects entities to perform detailed gap analysis against the requirements to identify areas of challenge to implementation and act to resolve them.
  • Develop a new organisational mindset: The most critical action APRA expects is for entities to ‘build a new mindset’ about where their boundaries of responsibility sit. The new requirement of an end-to-end view of operational risk requires understanding of the business’ critical operations, including those performed by third and fourth parties. It is not enough to simply be aware of internal operational vulnerabilities. CPS 230 will require a shift in mindset in viewing third and fourth-party services providers almost as a part of the entity’s own operation.

Throughout the transition phase, APRA will engage with regulated entities on CPS 230 readiness (including board-level engagements planned in early 2024), and they should expect to be asked about:

  • outcomes of any gap analysis undertaken by them or their external assurance provider; 
  • the progress made against the change management or transition plan for compliance against the new standard; 
  • their plan for demonstrating compliance against operational risk, business continuity management and service provision elements as well as any key challenges or blockers to this; and
  • any lessons learned in the process to date.

In our recent in depth article, 'APRA releases final version of the new cross-industry Prudential Standard CPS 230 Operational Risk Management', we explained how the new obligations in CPS 230 differ from existing standards and what entities can do to prepare for the implementation of CPS 230.

APRA to turn up the heat on enforcement

Hockey acknowledged that the implementation of the new CPS 230 requirements and in particular the embedding of a new way of thinking about operational risk will be challenging and will come at a cost to businesses. Hockey, however, considers that compliance with the APRA requirements is no longer optional as community standards have evolved with consumers expecting businesses to be reasonably prepared to address modern operational risks. APRA has clearly signalled a campaign of close supervision, investigation and potentially enforcement. While APRA’s enforcement activity to date has largely been limited to advocating for enhanced cybersecurity while the ACCC and ASIC have taken a leading role in addressing scams, Hockey stated that APRA is stepping up its enforcement activities, with the imposition of additional capital requirements a ‘likely outcome’. This comes off the back of APRA’s previous action in June this year to impose additional capital requirements of $250 million on a private health insurer in relation to a major cyber incident. APRA is clearly preparing to ‘apply the heat’ against banks, insurers and super trustees who fail to deliver on the new requirements.

As noted in our previous article, G+T has a team of experts to support entities in their transition CPS 230 activities.

Our market leading Disputes + Investigations team also work closely with internal legal, risk and compliance teams and business stakeholders to assist entities responding to regulator engagements in relation to cyber incidents, including reporting and management, investigations and enforcement activities.

""