Service providers
The proposed CPS 230 largely focuses on operational risks associated with material service providers. A material service provider is one an entity relies on to undertake a critical operation or that exposes the entity to material operational risk. The discussion paper for the proposed CPS 230 includes a list of the types of services that would be classified as material for the banking, insurance and superannuation sectors. Services supporting critical operations, risk management, core technology services and internal audit have been flagged as material across all these sectors
New products and activities
The proposed CPS 230 requires an APRA-regulated entity to assess the impact of new products, services, geographies and technologies on its operational risk profile as part of operational risk management.
The discussion paper for the proposed standard uses crypto-assets as an example of an emerging area where regulated entities will need to have prudent processes and controls. It emphasises the importance of operational risk management around fraud, cyber, conduct, AML/CTF and technology risks when dealing with crypto-assets. In particular, APRA has outlined its expectation that all regulated entities will conduct appropriate due diligence and a comprehensive risk assessment before engaging in activities associated with crypto-assets, and apply robust risk management controls.
APRA's focus on crypto-assets reflects broader regulatory trends, including recent reform proposals in relation to crypto assets. (For more information, view our submission in response to the Treasury's consultation on a licensing and custody regime for crypto asset secondary service providers.) APRA is separately considering the appropriate prudential framework for crypto-assets in Australia in conjunction with this reform.
Business Continuity Management
The proposed new standard incorporates and updates requirements for business continuity management that are currently set out in CPS 232 and SPS 232.
The proposed CPS 230 requires APRA-regulated entities to clearly identify their critical operations, set tolerances to define levels of disruption that would be unacceptable, and maintain credible plans to respond to and recover from incidents and events.
The concept of critical operations in draft CPS 230 is similar to the existing concept of ‘critical business operations’ in the current CPS 232, but with a definition now more focused on outcomes and the key stakeholders of the entity, rather than the entity itself. The proposed CPS 230 defines critical operations as "processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system". The draft standard has specified that critical operations include, but are not limited to payments, deposit-taking and management, custody, settlements, clearing, claims processing, investment management, fund administration, customer enquiries and the systems and infrastructure needed to support these operations.
Under the proposed standard, APRA-regulated entities are required to set Board-approved tolerance levels for each of their critical operations, being:
- the maximum period of time the entity would tolerate a disruption to the operation;
- the maximum extent of data loss the entity would accept as a result of a disruption; and
- minimum service levels the entity would maintain while operating under alternative arrangements during a disruption.
The proposed CPS 230 is consistent with requirements to maintain a business continuity plan (BCP) under the existing CPS 232 and SPS 232. The draft standard sets out matters that an entity's BCP must include, being:
- the register of critical operations and associated tolerance levels;
- triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in the event of activation;
- actions it would take to maintain its critical operations within tolerance levels through disruptions;
- an assessment of the execution risks, required resources, preparatory measures, including key internal and external dependencies needed to support the effective implementation of the BCP actions; and
- a communications strategy to support execution of the plan.
Importantly, under the proposed CPS 230 an APRA-regulated entity is required to submit its BCP to APRA on an annual basis and notify APRA as soon as possible, and no later than 24 hours if it has activated its BCP.
Next steps
Submissions on APRA's CPS 230 Discussion Paper close on 21 October 2022.
Importantly, once the standard becomes operational, it will apply immediately in relation to the renewal of an arrangement with a material service provider (including related entities).
In preparation for these changes, organisations should consider what uplifts may be required to their existing policies, procedures and processes as well as in their contracts with entities in their supply chain. Unlike some other regulatory change programs, organisations will need to approach this with a strategic and systems lens that will enable organisations to navigate an ever increasing complex and disruptive environment. Existing policies, procedures and processes will need to speak to each other under a consistent framework, that for many organisations, will require design and uplift. It is important for organisations to clearly define and articulate the desired outcomes prior to the commencement of any uplift initiatives. Implementation of the proposed CPS 230 is likely to be a significant project for affected organisations and will require a significant investment of time and resources.
Links to key material
Discussion Paper - Strengthening operational risk management (apra.gov.au)
MinterEllison provides full service IT legal and consultancy services with extensive experience in cyber security, privacy, data protection and software and IT service procurement. Please contact us if you would like assistance in understanding and implementing your obligations under the new security of critical infrastructure laws.