Cybersecurity and risk culture among APRA's top priorities for the year ahead

8 minute read  02.02.2022 Kate Hilder, Siobhan Doherty

APRA has outlined its supervisory and policy priorities for the next 12 to 18 months.  A high level summary of some of the regulator's key areas of focus and planned actions is below.  


Key takeouts


  • Risk Culture: Rolling out the employee risk culture survey to 40 additional regulated entities' in the insurance and superannuation sectors is among the regulator's key priorities for 2022.
  • Climate risk: APRA has flagged plans to roll out a cross-industry climate risk self-assessment to 90 entities (across APRA-regulated sectors) in H1 2022. The aim it to enable APRA to understand the alignment between entities’ management of climate-relate financial risks, the guidance set out in CPG 229, and the recommendations of the Task Force on Climate-related Financial Disclosures
  • Cyber risk: APRA identifies improving cyber resilience as 'a key cross-industry supervision priority'. Over the next 12 months, APRA plans to: a) continue its CPS 234 Information Security independent compliance assessments of regulated entities (in tranches); b) continue its 'deep dive thematic reviews' at selected entities; c) collect 'cyber resilience data; and d) work with industry and government agencies to 'expand the cyber information sharing community and collaboration opportunities, thereby improving situational awareness'. In addition, APRA flags and cyber resilience as a key area of focus in the private health insurance context.
  • Modernising 'prudential architecture': APRA has said it will commence work toward this multi-year objective in 2022. This will involve APRA focussing (among other things) on how digitalisation could help support better and more adaptable regulation.

APRA's policy and supervisory priorities for the next 12-18 months

The Australian Prudential Regulation Authority (APRA) has released two information papers setting out its policy and supervision priorities for the next 12 to 18 months to enable regulated entities and other stakeholders to 'prepare and proactively engage' with the regulator on key priority areas.

APRA's priorities are underpinned three key outcomes, aligned to the regulator's long term strategy, namely: 1) ensuring resilient and prudently managed financial institutions; 2) promoting the stability of the Australian financial system; and  3) contributing to the community’s ability to achieve good financial outcomes.  

In addition, APRA has indicated its intention to commence work on its new multi-year objective of modernising the prudential architecture, consistent with its 2021-25 Corporate Plan.  

A high level summary of some of APRA's key policy and supervisory priorities is below. 

[Note: Annex B of the policy priorities information paper is a table summarising the proposed actions/timelines for delivering APRA's policy objectives.  Attachment A of the supervisory priorities information paper is a table summarising APRA's supervisory activities and timelines.]

Modernising the prudential architecture 

From a policy perspective, APRA’s plans to commence a multi-year project to modernise the existing 'prudential architecture'.  This work is expected to involve a focus on: 

  • 'Better regulation': For example, APRA plans to focus on ensuring prudential standards and guidance are easy to 'understand, find and navigate'.  APRA also plans to explore how to 'embed and operationalise simpler requirements for smaller entities' to reduce regulatory burden as far as possible' as well as look to support effective board oversight through engaging with directors on 'ways to assist them in understanding their prudential obligations such as a comprehensive handbook or enhanced guidance'.  
  • Digitalisation: APRA will consider how digitalisation could help to support better and more adaptable regulation.  In 2022, APRA plans to engage an advisory panel of experts and industry stakeholders, and explore the potential for suptech and regtech solutions with industry.   
  • Regulation of emerging risks – APRA will also continue to monitor emerging risks and consider their potential impact, from a regulatory perspective.  On this point, APRA states that:

…'there will be a need  for innovation in regulation and new rules, such as the prudential treatment of crypto-assets under consideration by the Basel Committee on Banking Supervision. APRA is also monitoring the regulatory perimeter, to understand how the regulatory architecture will need to evolve to cater to new risks and new business models'.

APRA's primary focus this year will be on 'progressing initial steps and scoping the longer-term path ahead'.  Looking forward to 2023-2025, APRA envisages launching a 'series of initiatives' to improve the accessibility and adaptability of APRA's prudential framework to ensure alignment with user needs.  

APRA makes clear that it intends to 'engage closely and consult with industry' throughout the project as well as to learn from the approaches taken in other jurisdictions.   

Cross industry policy and supervisory priorities

Contingency and resolution planning

Improving crisis preparedness remains a focus for APRA in 2022.  

  • Policy priorities: In late 2021, APRA consulted on draft Prudential Standard CPS 190 Financial Contingency Planning (CPS 190) and draft Prudential Standard CPS 900 Resolution Planning (CPS 900).  APRA expects to finalise these standards in 2022 with a view to the standards taking effect from 2024 (with a one year transition period for RSE licensees to meet CPS 190).  APRA also plans to develop guidance to support entities in meeting the new requirements in 2022.  
  • Supervisory priorities: APRA states that supervisory activity will 'focus on enhancing the maturity of financial contingency (recovery and exit) planning, and reducing the risk of disorderly failure'.  APRA states that this will include both ensuring all APRA-regulated entities have recovery plans in place as well as 'increasing the quality' of plans 'to improve their credibility'.  In addition, APRA flags that 'preparatory work on expectations for resolution planning under CPS 900' will be a priority for 2022.   

Governance, Culture, Remuneration and Accountability (GCRA) remains a priority 

Remuneration

  • Policy priorities: CPS 511 Remuneration and the accompanying guidance take effect from 2023.  APRA envisages that the new standard will be 'supported' by new reporting/disclosure requirements to 'promote transparency and accountability'.  Finalisation of these new disclosure requirements is identified as a policy priority for the regulator in 2022.  In terms of timing, APRA plans to consult on the new requirements in the first half of 2022 with a view to finalising them by the end of the year.  
  • Supervisory priorities: APRA is currently conducting a pre-implementation review of implementation of CPS 511 Remuneration across a 15 entities (5 entities per industry, superannuation, banking, insurance).  No timeframe for completion is indicated.

Governance, Culture and Risk Management

  • Policy priorities: APRA plans to conduct a review of its governance and risk management standards in 2023.  APRA envisages that this review will consider 'how to improve' existing standards in a number of areas including: 'board and senior management roles and expectations, board obligations for risk culture, the relative emphasis on financial and non-financial risks, and requirements for compliance and audit'.  In terms of timing, APRA’s plans that the review of Prudential Standard CPS 510 Governance (CPS 510), Prudential Standard CPS 220 Risk Management (CPS 220), and the equivalent superannuation standards will commence in 2023.  APRA does not envisage that the changes would come into effect until 2025.  
  • Supervisory priorities:
    • Following completion of a successful pilot with 10 general insurers in early 2021 and the subsequent roll-out of the employee risk culture survey to 18 of the largest ADIs in November 2021, APRA plans to roll out the survey to 'approximately 40 additional regulated entities' in the insurance and superannuation sectors.  APRA plans to publish insights on the broader themes that emerge from the survey results and engage directly with entities to discuss how any issues identified through the survey will be addressed. 
    • APRA plans to conduct 'risk culture "deep dives’" at a small number of large entities.  
    • APRA will also continue to assess entities’ actions in response to risk governance self-assessments and regular prudential engagements.  APRA states that this will include assessing whether 'issues that are currently resulting in capital overlays or enforceable undertakings have been resolved'

Supporting the (proposed) Financial Accountability Regime or FAR

  • From a policy perspective, and assuming the passage of the legislation to establish the FAR regime (which will replace and expand on the existing BEAR), APRA identifies the following as policy priorities:
    • publication of a joint administration agreement (with ASIC) setting out principles for administering the new regime, as well as regulator rules and implementation guidance
    • APRA also plans to review Prudential Standard CPS 520 Fit and Proper (CPS 520) to ensure consistency with the FAR.
  • From a supervisory perspective, APRA flags 'working with the Government and ASIC to establish and plan' for implementation of the planned FAR as a priority.   

Operational risk management/resilience 

  • Policy priorities: From a policy perspective, APRA will focus on lifting standards of operational risk management. 
    • In 2022, APRA plans to consult on 'enhanced requirements for operational risk management' including setting minimum expectations for 'systems, controls and remediation, business continuity and arrangements with third parties'. 
    • New Prudential Standard CPS 230 Operational Risk Management (CPS 230) is 'expected' to come into effect from 2024.  The new standard will replace existing requirements in Prudential Standard CPS 231 Outsourcing (CPS 231) and Prudential Standard CPS 232 Business Continuity Management (CPS 232), as well as the equivalent superannuation standards. 
  • Supervisory priorities: From a supervisory perspective, APRA will have a strong focus on the actions being taken by regulated entities to strengthen their operational resilience particularly in the context of oversight of third party service provision.APRA plans to:
    • monitor regulated entities’ improvements in contingency planning, business continuity arrangements, and management and oversight of third-party providers;
    • develop a non-financial risk data collection in 2022 to provide data-driven insights and drive supervisory resource allocation. 
    • APRA will also 'devote attention to changes in entities’ operational risk and compliance profiles'.  For example, changes resulting from regulatory reforms such as the ADI (Authorised Deposit-Taking Institution) transition from Advanced Measurement Approach (AMA) for Operational Risk Regulatory Capital to the Standardised Measurement Approach (SMA), entity driven transformation programs and/or merger and acquisition activity  

Other cross industry supervisory priorities

Improving cyber resilience 

APRA identifies improving cyber resilience as 'a key cross-industry supervision priority'.  Over the next 12 months, APRA plans to: 

  • continue its CPS 234 Information Security independent compliance assessments of regulated entities (in tranches) and share insights with industry 
  • continue its 'deep dive thematic reviews' at selected entities
  • collect 'cyber resilience data, to improve APRA’s ability to target supervisory activities and profile the industry for cross-industry insights'
  • work with industry and government agencies to 'expand the cyber information sharing community and collaboration opportunities, thereby improving situational awareness'.

Climate-related financial risks 

Following the finalisation of Prudential Practice Guide CPG 229 Climate Change Financial Risks APRA states that it 'will be seeking to develop additional tools to evaluate climate-related financial risks, and increasing its scrutiny of entities’ progress in addressing the impact of climate risk'.   In the 'near term' APRA's priorities include: 

  • Asking 'approximately 90 entities' to complete a climate-management self-assessment survey in H1 2022, to enable APRA to understand the alignment between their management of climate-related financial risks, the guidance set out in CPG 229, and the recommendations of the Task Force on Climate-related Financial Disclosures.  
  • Completion of the Climate Vulnerability Assessment (CVA) currently on foot.  

Sector specific focus areas

APRA has also outlined specific policy and supervisory focus areas for the banking, insurance and superannuation sectors.

Banking sector

From a policy perspective, APRA states that its key focus will be on implementation of the bank capital reforms including finalising guidance and progressing revisions to market risk standards.  APRA is also reviewing the prudential standard for purchased payment facilities in the context of the recent payments system review and other recommendations. You can find a summary table of the proposed timeline for revisions to specific standards/guidance at p19 of the policy information paper.  

From a supervisory perspective, APRA states that there will be 'a strong focus on upgrading contingency and continuity frameworks in the banking industry, in addition to an ongoing focus on the areas of credit, capital and liquidity'.

Insurance sector

From a policy perspective APRA’s priorities for the three insurance industries (general, life and private health insurance) for 2022 are focused on the completion of reforms to the insurance capital standards, including AASB 17 and LAGIC updates and the capital standards for private health insurers (PHI).  In 2023, APRA plans to review prudential requirements and guidance on insurance risk management.  A summary table detailing the proposed timeline for revisions to specific standards/guidance is included at p20 of the policy information paper.

From a supervisory perspective: APRA will focus on monitoring the steps being taken by insurers to address the 'availability, affordability and sustainability' challenge.  

Further detail

General insurance

  • APRA will continue the work commenced in 2021, examining the 'root causes' behind the uncertainty in the drafting/design of business interruption insurance (BI) with the aim of 'minimising the risk of similar issues manifesting in other product lines'. 3.2.1 Strengthening insurance risk management 
  • APRA will review and benchmark the results of the risk management self-assessments conducted by some insurers in the first half of 2022 and work with insurers to ensure any issues identified are addressed.  APRA will also publish 'learnings and best practice'.
  • Ensuring all general insurers have 'credible and robust recovery plans in place by the end of 2022' is also flagged as a priority.  

Life insurance

  • APRA states that the key supervisory focus is product sustainability, including 'on-going availability of  suitable products and policyholder affordability'.  This will include monitoring the individual disability income insurance (IDII) products released in late 2021.  
  • APRA will also continue to pay 'close attention to the areas of risk governance and data quality in life insurance'.
  • Friendly societies: Over the first half of 2022 APRA plans to finalise its work on an APRA-led industry-wide stress test of friendly societies. In addition to completing the stress test, a review of risk management and governance practices will be undertaken.

Private Health Insurance

  • APRA plans to continue to engage with industry to assess insurer strategies to respond to the challenges of affordability and increasing claims costs.   
  • APRA also flags operational and cyber resilience as a key area of focus in this sector.  APRA states:

'The PHI industry relies extensively on service providers to fulfil policyholder obligations and the collection of both financial and health data elevates the importance of matters such as information security.  APRA is developing data collections covering these areas, to inform thematic reviews across a selection of insurers over the course of 2022.  APRA will also continue to review the strength of relationships with systemic service providers to the PHI industry'. 

  • Prudent management of the 'unwinding' of the Deferred Claims Liability will also be a focus area. 
  • APRA will also continue to engage with industry and other government agencies to police insurers’ commitment not to profit from COVID-19.

Superannuation sector 

  • From a policy perspective APRA states that it is focused on 'strengthening financial resilience in superannuation and improving outcomes for members'.  You can find a summary table detailing the proposed timeline for revisions to specific standards/guidance at p20 of the policy information paper.
  • From a supervisory perspective, APRA identifies two key objectives: a) 'rectifying sub-standard industry practices'; and b) 'eradicating unacceptable product performance'. Among other things, APRA plans to focus on: monitoring the extent to which RSE licensees have incorporated the Your Future Your Super obligations into decision making frameworks and business operations, preparation for the proposed Retirement Income Covenant and entities' 'readiness for the associated changes'.  

[Sources: Information Paper: APRA's policy priorities 01/02/2022; Information Paper: APRA's supervisory priorities 01/02/2022]

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI3ODJkZGM1Zi1mMmQ0LTQ5ZDMtOTY1OS0xNTZkNjZkMmMyZTIiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczMDgzNjk1NywiZXhwIjoxNzMwODM4MTU3LCJpYXQiOjE3MzA4MzY5NTcsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2FwcmEtc3VwZXJ2aXNvcnktYW5kLXBvbGljeS1wcmlvcml0aWVzLTIwMjIiLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9hcHJhLXN1cGVydmlzb3J5LWFuZC1wb2xpY3ktcHJpb3JpdGllcy0yMDIyIn0.1xpbH_69dZXD57SL0Ywfx0CkCw1RdopiCQKo-nMP4Ro
https://www.minterellison.com/articles/apra-supervisory-and-policy-priorities-2022

Point of View: insights into key issues and challenges facing business today.

In this series of interviews with MinterEllison partners we hear their perspective on key areas of interest to our clients and the business community.