APRA finalises rules to strengthen resilience against operational risks and cyber threats

The prudential regulator has published rules to bolster resilience against disruptions and cyber threats, asking banks, insurers and funds to enhance internal processes.

Paulina Duran

less than 2 min read

1:36PMJuly 17, 2023

The Australian Business Network

Michele Bullock will be inheriting an economy in a ‘challenging position’

The prudential watchdog has finalised new rules requiring banks, insurers and superannuation funds to lift internal processes to be more resilient to disruptions, including from cyber attacks and risks from contracts with external providers.

From July 2025, APRA-regulated companies will need to incorporate the new minimum standards for managing operational risks, including having robust business continuity plans to respond to disruptions.

APRA’s new rules follow a year-long consultation with industry, and come after an assessment of hundreds of banks, insurers and superannuation trustees that found widespread gaps and cyber weaknesses despite a spike in high-profile attacks in recent months.

“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches,” Australian Prudential Regulation Authority chair John Lonsdale said.

“Disruptions to financial services can cause a major detrimental impact to the people who rely on them to pay bills, recover from financial loss or support themselves in retirement.”

APRA chair John Lonsdale. Picture: Chris Pavlich/The Australian

Since the draft rules were published last year, many companies told the regulator its expectations, which also include having a comprehensive policy to manage risks associated with service providers, would be too difficult to meet by the original July 2024 deadline, leading to its delay by a year.

APRA still expects senior management to at least identify critical operations and material service providers by mid-2024, and “be well positioned to set tolerance levels by the end of 2024,” it said.

Supervisors from the regulator would engage with banks, insurers and funds during the implementation period of the new prudential standard CPS 230 Operational Risk Management.

“We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements,” Mr Lonsdale said.

“There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility.”

The standards will apply to existing contractual arrangements from the earlier of the next renewal date of the contract or 1 July 2026.

APRA last month ordered Australia’s largest health insurer Medibank to hold an additional $250m in capital and to undergo a targeted technology review focused on its governance and risk culture, after it suffered one of the largest data breaches in Australian history.