The Australian Prudential Regulation Authority (APRA) has issued caution regarding the rapid evolution of the operational risk landscape, emphasising the need for businesses to adopt a more defensive approach.
APRA executive board member Therese McCarthy Hockey noted that while the concept of operational risk isn’t a new one, the nature of the risks themselves have evolved as the financial sector and customers become more reliant on digital technology.
“The most widespread threats to business continuity today are less to do with breaking into safes and more to do with breaking into servers; less about office fires than breached firewalls,” Ms McCarthy Hockey said.
“In an environment where one crashed server or ransomware attack can leave potentially millions of Australians without access to funds, the ability to mitigate operational risks is essential for financial stability and community well-being.”
Last month the regulator confirmed it had finalised Prudential Standard CPS 230 Operational Risk Management (CPS 230), which sets out new rules to ensure APRA-regulated entities are able to better manage operational risks and respond to business disruptions.
In response to consultation feedback last year, the final CPS 230 incorporates a number of changes, including deferring the commencement of the new standard from January 2024 to July 2025.
Ms McCarthy Hockey noted that while APRA only began consulting on CPS 230 in July 2022, the operational risk environment has already shifted substantially since then.
“These developments have a few things in common. The obvious one is the connection to technological innovation. The second is that these innovations rely on the successful integration of multiple technologies provided by a range of financial system players: the banks, insurers and super funds themselves, the cloud, payments providers, telcos, and big tech companies.
“A failure at any point in the chain has the potential to break down services to the entire system – with system latency and backups being ever more important.”
However, APRA pointed to many banks, insurers, and superannuation trustees still struggling to meet their minimum requirements as per CPS 234 introduced in 2019, which aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents.
“Given that cyber risk is at or near the top of every corporate risk register today and has been for several years, the obvious question is, ‘Why?’”
Ms McCarthy Hockey partially attributed this to the evolving nature of cyber threats that are compelling businesses to be “constantly firing at moving targets” but asserted that the root cause is organisations historically treating information security as a technology risk rather than an overall business risk.
“Rather than leaving cyber resilience to the IT and cyber security departments, boards need to become much more tech savvy and alert to how the threats have changed, in particular for the data they collect and manage. Boards need to provide stronger oversight of these ‘crown jewels’ in order to address threats as they emerge with the expediency they deserve.
“Understanding these reasons is not the same as accepting them, and APRA is rapidly running out of patience with the slow pace of uplift.”
As such, the regulator has moved forward with CPS 230 alongside the expectation that boards focus on three key actions: putting the right governance arrangements in place, identifying critical operations and material service providers, and beginning to develop a new organisational mindset.