APRA and the 2021 Priorities: What it Means for Technology Leaders of FSIs
APRA has recently released its policy and supervision priorities for the coming year. Their focus is to ensure the effectiveness of the resilience and crisis readiness of Australia’s financial system is further enhanced.
“APRA’s priority is to maintain a financial system that is resilient” said APRA Chair, Wayne Byers, underlining the value of an “ongoing regulatory program that seeks to identify risks and put in place appropriate mitigation strategies to protect the interests of depositors, policy holders and fund members.”
APRA have flagged that in 2021 they will enhance their:
Policies – the framework of prudential standards and practice guides, setting minimum standards under which regulated entities are expected to operate
Proactive Supervision Requirements – APRA can direct FSIs to allocate resources towards areas that pose the greatest risk or impact including anticipating the impact of current and emerging risks
Focus Areas for 2021
A new prudential standard for disaster recovery and resolution planning. All regulated entities will need to ensure they effectively plan for and manage crisis events and periods of stress. Crisis Management, Backup/Restoration and Disaster Recovery testing is likely to be a focus area on future reviews.
Review of requirements related to operational resilience including aspects of outsourcing (CPS231), business continuity (CPS232) and information security (CPS234). A wholistic approach to outsourcing, security and continuity is recommended. Procurement, Security and Operations will need to coordinate and align Frameworks, Procedures and Assurance activities.
Consultation on a new guidance for stress testing focusing on regulated entities approach and maturity for forward looking recovery planning and security threat analysis and testing. Regulated entities will need to provide evidence that they have tested, verified and matured their Disaster Recovery plans, Vendor Contingency and Backup/Recovery processes.
Cyber resilience maturity and effectiveness (CPS234 alignment). Regulated entities will be required to engage external auditors for assessments of compliance and weaknesses, cyber resilience data collection, a cyber information sharing community pilot and cyber resilience testing. Regular cyber maturity assessments are core to demonstrating improvements with a focus on threat analysis to key assets.
Recovery and resilience via effective contingency planning and regular testing of those plans. A credible recovery capability and ensuring simple, credible resolution strategies are in place is expected. Proof of contingency, disaster and backup recovery capability will be core to demonstrating credibility. There will be a focus on the Superannuation industry with recovery and resolution planning reviews.
Assessment of the range and concentration of service providers used by regulated entities. A review, and regular process of reviews of all technology vendors, the services provided and a risk-based assessment of contingency plans for key services
In flagging these priority areas for 2021, APRA have indicated that the bar is being raised. Previous expected practice will now be the required norm. 2021 will set the importance of aligning Outsourcing, Continuity and Security and their continued improvement and maturity. This will be a period where proving and improving resilience and crisis readiness is required, in addition to current governance, assurance and reporting requirements.
About the Author: Mark Zanon is the Managing Director of Capital Consult who have been providing specialist advice and services, assisting organisations dealing with APRA since 2008. We assist organisations to interpret and achieve compliance with the APRA prudential standards, guidelines and supervisory framework, with a core competency on technology regulatory compliance.