In July, the Australian Prudential Regulation Authority (APRA) finalised a new prudential standard for insurers, banks and superannuation firms to ensure they better manage operational risks and business disruptions.
“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches,” said APRA chair John Lonsdale, referring to high-profile cyber attacks on firms including Medibank and Optus.
Lonsdale said the new regulation – called CPS 230 – will ensure regulated entities set and test controls and maintain robust business continuity plans to respond to disruptions.
The new standard does not come into force until July 2025 but the APRA chair warned financial services firms to start proactively preparing.
“Rather than waiting until the last minute to get ready to meet the new requirements,” he said.
Rachel Riley (pictured above) is head of strategic operations for Ansarada. The global firm describes its offering as a “digital governance framework” for “securely managing critical information.”
“It’s [CPS 230] hugely important for the insurance industry,” said Sydney-based Riley.
Her interest in CPS 230, she said, dates to having customers in the UK. A couple of years ago her firm needed to comply with the Financial Conduct Authority’s (FCA’s) equivalent operational resilience standards.
“We first looked at it, to be honest, as just another regulation but when you actually dig deeper it is a new and better way to look at risk management,” Riley said.
There is some complexity in the new standards, she said, both in the UK and now in Australia. However, Riley said insurers and their customers should think about them “holistically” in terms of their critical processes for delivering goods and services to customers and the resources – like people and assets – that help those processes.
“So how can I ensure that, no matter what event impacts my process, I can get my services to consumers out?” she said. “And how can I ensure I recover from as quickly as possible, so it doesn't have a material impact.”
The risk management expert said she looks at APRA’s new standard through two lenses.
“So APRA can come in and have a look in terms of what they're [an insurer or company] doing on their operational risks,” said Riley. “Then it's bringing in other reporting requirements that are triggered by events.”
If a disruptive event occurs, she said, under CPS 230, an insurance company is required to report that event. She said that includes events caused by a relationship with a third party.
“It’s giving them, from the board down, what I would consider a significantly more visible and concrete view of operational risks and the obligation to manage those risks more proactively than ever before,” said Riley.
The list of possible disruptive events includes cyber attacks, bushfires and floods. APRA already considered cyber attacks to be a disruptive event but CPS 230 pushes that definition out further, said Riley.
“CPS 230 brings into play the concept of tolerance levels,” she said. “So the business now sets tolerance levels for a cyber event, or a bushfire or something that takes out resources or assets,” she said.
Riley said that tolerance level could be set at 24 hours and then any time beyond that might be considered “intolerable” based on the material impact to the business.
“CPS 230 takes a tolerance level approach where it says, okay, based on the critical processes that you need to deliver, set your tolerance levels,” she said. “So some processes might have a tolerance of 48 hours, because they have controls that can withstand a material impact on the company but some tolerance levels might be set at 24 hours.”
She said under the new standard, insurance companies will need to “test key, plausible disruptive events and what happens if those events take place.” The idea is to ensure a disruptive event can be managed within the tolerance level.
These tests could include, for example, live simulations where a production area is deliberately interrupted or staff are prevented from logging into the system.
“So, it's a much more proactive look at resilience or race than, you know, your traditional BCP [business continuity plan],” said Riley.
CPS 230, she said, goes beyond the current regulations requiring a board to ensure a BCP and a cyber plan are in place.
“APRA requires the board to sign off and be comfortable with the processes that are critical to the business and the tolerance levels that the business could withstand without a material impact and that the testing has been conducted,” said Riley. “It can be quite complex if you look at it piece by piece but holistically, that's pretty much what it is aiming to do.”
What tests are you running to ensure your insurance company is CPS 230 compliant? Please tell us below