Clifford Chance

Recent events have highlighted the heightened risk applicable to APRA-regulated entities, and strongly supports the importance for setting and maintaining appropriate standards for conduct and compliance to effectively manage operational risk.

In response to the recent massive data breach involving Optus, Australia's second largest telecommunications company, the Australian Prudential Regulation Authority (APRA) on 6 October 2022 issued a media release (here) to update APRA-regulated entities that APRA is working in close collaboration with the Australian Government, peer regulators and other relevant bodies to facilitate closer coordination and a controlled process of data sharing between Optus and APRA-regulated entities. The aim of this collaboration is to provide greater protection to Australians that may be at risk from the Optus breach, and APRA notes that data shared can only be used for the purposes of implementing enhanced monitoring and safeguards for customers affected by the data breach.

More recently, in a response to questions from the House of Representatives economics committee, APRA chairman Wayne Byres (who is soon to end his term as chair of APRA) acknowledged that while APRA-regulated entities have lifted investment into cyber defence, cybersecurity risk is amongst the biggest challenge facing Australia's financial system and a cyber-attack on one of Australia’s financial institutions "will happen" at some point in the future. The acknowledgment of this ongoing risk is consistent with APRA's focus on operational resilience and is a timely reminder for APRA-regulated entities to revisit APRA's draft prudential standard, CPS 230 (Operational Risk Management) (CPS 230).

Background to draft CPS 230

APRA recognises that in recent years, APRA-regulated entities have demonstrated the critical importance of financial institutions being able to manage and respond to operational risks, evident for example in the challenges of the COVID-19 pandemic, cyber and technology risk, geopolitical unrest, volatile markets and natural disasters. Accordingly, APRA considers that sound operational risk management is prudent and fundamental to financial safety and system stability.

CPS 230 will require changes to controls and risk management as new products or changes to an institution are implemented that may impact on the operational risk profile of the entity.

APRA considers operational risk to compromise risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events. As a result, such operational risk events can lead to direct financial losses to an APRA-regulated entity and may also compromise its ability to continue to provide critical operations and services for customers.

CPS 230 is aimed at ensuring that APRA-regulated entities are well positioned to meet the challenges of rapid change in the industry and in technology more generally – this is achieved by:

• strengthening operational risk management – APRA-regulated entities must identify weaknesses in its existing practices and manage these operational risks with effective internal controls, monitoring and remediation;
• improving business continuity planning – APRA-regulated entities must be able to respond to severe business disruptions, and maintain critical operations such as payments, settlements, fund administration and claims processing and maintain continuity of critical operations and set clear tolerances for the maximum level of disruption they are willing to accept for critical operations; and
• enhancing third-party risk management – APRA-regulated entities must understand and manage operational risks from the use of third-party service providers by extending operational risk management requirements to cover all material service providers that APRA-regulated entities rely upon for critical operations or that expose them to material operational risk, rather than just those that have been outsourced.

Some of the requirements set out in CPS 230 require that APRA-regulated entities must identify and record their key operations which, if disrupted, would have a material adverse impact on those relying on the services of the APRA-regulated entity. Business Continuity Plans should be maintained, be fit for purpose, and must detail how an APRA-regulated entity will recover should it be subject to disruption. These must be submitted to APRA on an annual basis.

There is also an expectation under CPS 230 that all risk incidents and near misses are identified and reported to APRA in a timely manner.

Further, as the involvement of third-party service providers increases across the market, APRA-regulated entities must be able to identify their key material service providers to ensure that associated risks can be managed. To enable APRA to assess the nature and extent of service providers relied on by each industry, with a view to identifying and responding to potential systemic issues, CPS 230 requires an APRA-regulated entity to:

• submit its register of material service providers to APRA on an annual basis;
• notify APRA as soon as possible, and not more than 20 business days, after entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation; and
• notify APRA prior to entering into any offshoring agreement with a material service provider, or when there is a significant change proposed to the agreement, including in circumstances where data or personnel relevant to the service being provided will be located offshore.

Key takeaway

APRA-regulated entities will need to consider any gaps in their current practices and the requirements set out in CPS 230 – particularly in respect of maintaining and testing internal controls to ensure they are effective in managing key operational risks.

APRA expects to release the final CPS 230 early next year, before the new standard comes into force from 1 January 2024.