Capital Consult Team, Author at Capital Consult

APRA CPS 230 – Roadmap to Readiness

Major changes are coming to how financial services institutions are required to manage operational risk. The new APRA standard CPS 230 will become effective on July 1st, 2025.

As we have previously outlined, CPS 230 will significantly increase operational risk management requirements across many areas of FSIs. Compliance will require extensive preparation and APRA have advised that they will be expecting and assessing evidence of progress through 2024.

At Capital Consult, we have assisted many FSIs successfully navigate APRA regulations and demonstrate compliance. Leveraging this expertise, we have developed a CPS 230 readiness method, implementation roadmap and supporting CPS 230 readiness toolkit. This will enable FSIs to navigate the intricacies of CPS 230 and implement practical and tailored solutions to ensure compliance.

APRA has indicated the first step towards compliance is to complete a gap analysis and planning to achieve compliance. Our free CPS 230 Self-Assessment is a high-level gap analysis across the seven key CPS 230 requirement domains. This will provide a personalised findings report to help prioritise your efforts.

CPS 230 readiness will be a complex and time-intensive activity across the whole organisation. Don’t wait to start preparing. Contact us today to help you get ready for this important new regulation.

Learn More:

Learn more about Capital Consult’s CPS 230 offerings here.
Get your free personalised CPS 230 readiness report here.

About the Authors: Mark Zanon and Andre Kreicers are from Capital Consult, who have been providing specialist regulatory and technology advice, consulting and services to the Financial Services industry since 2008. We assist organisations to interpret and achieve compliance with the APRA prudential standards, guidelines and supervisory directions. Capital Consult has worked with many FSI clients in managing their APRA and regulatory obligations. This includes understanding and managing risk paradigms introduced through technology developments such as outsourcing, cloud computing, digital transformation, AI and Banking as a Service.

Capital Consult at the Lifeline 2023 Sapphire Gala Ball

At Capital Consult, we believe in making a difference to our clients, but we also believe in supporting some causes close to our hearts (and having some fun along the way). Our team members and spouses, some of whom have attended this ball for many years, were thrilled to purchase a table for the 2023 Lifeline Sapphire Gala Ball.

Lifeline is an incredible non-profit organisation that provides a lifeline of hope to those in crisis across Australia. Their round-the-clock telephone crisis support, suicide prevention services, and mental health assistance, whether through calls, face-to-face meetings, or online, are nothing short of inspiring. Each year, Lifeline Harbour to Hawkesbury Sydney hosts a charity ball to raise funds for their important work in Northern Sydney.

It was a night filled with suits, gowns and bow ties, music, funny hats and glasses and laughs – all to celebrate life. Some of the team members also did well in the auctions, adding a touch of friendly competition to the night.

Now we sadly have to wait another year till the 2024 event. Thanks to Lifeline Harbour to Hawkesbury Sydney for a great night out!

Achieving Compliance to APRA’s new standard CPS 230 Operational Risk

The release of the new Prudential Standard CPS 230 – Operational Risk Management by APRA aims to strengthen the management of operational risk in the financial services industry. This standard includes updated requirements to improve business continuity planning and enhance third-party risk management.

“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.” says John Lonsdale, APRA Chair.

CPS 230 is designed to replace five existing standards and addresses three key trends observed by APRA in recent years:

The requirements of CPS 230 in summary:

Operational Risk Management:

The new standard outlines a minimum set of expectations to ensure that APRA-regulated entities effectively identify, assess, and manage operational risks. While highlighting the Board’s role, it also clearly places responsibility on senior management for the ownership and management of operational risk.

Under CPS 230, the Board is ultimately accountable for the oversight of an entity’s operational risk management (including business continuity and the management of service provider arrangements). It must ensure clear roles and responsibilities for senior managers, must oversee operational risk management and the effectiveness of key controls in maintaining the risk profile within risk appetite. This includes ensuring senior management provides clear and comprehensive information to the Board and acts to address any areas of concern.

Senior managers are responsible for the ownership and management of operational risk across an entity’s end-to-end processes. The standard also sets specific requirements for technology risk management, such as monitoring system age, health and assessing the impact of new technologies on the operational risk profile.

CPS 230 also sets out several requirements in the areas of risk management framework, operational risk profiles and assessments, controls and incidents. Notably, where APRA considers an APRA-regulated entity’s operational risk management has material weaknesses, it may consider actions including conditions on the entity’s licence.

KEY TAKEAWAY: Identify an end-to-end view of critical processes to inform operational risks and controls and have these regularly tested, weaknesses reported and remediated.

Business Continuity:

APRA-regulated entities will be required to maintain critical operations within tolerance levels. This pertains to processes that, if disrupted beyond tolerance levels, would have a material adverse impact on customers or an entity’s role in the financial system. The register of critical operations includes those where the entity is wholly or partially reliant on service providers. APRA has also designated some specific processes as critical operations.

APRA-regulated entities will be required to set Board-approved tolerance levels for each of their critical operations. Tolerance levels should include aspects of maximum outage period, maximum extent of data loss and minimum service levels the entity would maintain while operating under alternative arrangements. APRA reserves the right to set tolerance levels.

Business continuity plans (BCP) will be required for all critical operations, with clear triggers for activation. There must be a systematic BCP testing program covering all critical operations which test the effectiveness of the BCP and the ability to meet tolerance levels for a range of severe but plausible scenarios. Periodic review by the internal audit function will also be required.

KEY TAKEAWAY: Maintain a register of critical operations and consider plausible disruption scenarios with tolerance levels that are Board approved and regularly tested.

Service Provider Management:

CPS 230 broadens previous standards from a focus on outsourcing to a wider variety of provider delivery models, and addresses risk management at all stages of a service provider arrangement. Approaches for managing risks associated with fourth parties will also be required.

APRA-regulated entities will be required to identify material service providers and manage the risks associated with the use of these providers for each material arrangement. Material service providers and material arrangements are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. APRA has also designated providers of certain services as material (including core technology services). Notably, APRA may require changes to service provider arrangements where it identifies heightened prudential concerns.

Along with approving the policy associated with managing service providers, Boards will need to review risk and performance reporting on material service providers. Internal audit must review proposed material service provider arrangements and regularly report to the Board on compliance of such arrangements to policy. Senior management must maintain oversight of provider performance, effectiveness of controls and compliance with the formal agreement.

In addition to notification requirements on entering or materially changing agreements, APRA requires a register of material service providers on an annual basis. This will assist APRA in identifying and responding to potential systemic issues (including concentration risks) to inform any potential regulatory intervention to mitigate risk or respond to issues as they arise.

KEY TAKEAWAY: Maintain a register of material service providers and manage arrangements including 4th party risks with reporting, monitoring and assurance to the Board level.

APRA has also released a draft Prudential Practice Guide (CPG 230 Operational Risk Management) to accompany the new standard.

CPS 230 Operational Risk Management will commence on 1st July 2025.

Learn More:

Learn more about Capital Consult’s CPS 230 offerings here.
Get your free personalised CPS 230 readiness report here.

APRA Releases 2023 Priorities

APRA’s 2023 Priorities and Areas of Focus for Technology

APRA has recently released its policy and supervision priorities for 2023. “APRA’s 2023 priorities seek to ensure that we can swiftly address today’s risks as well as new challenges beyond the horizon” stated new APRA Chair, John Lonsdale.

He also flagged “a lighter APRA policy load” allowing regulated entities to focus on embedding prior major reforms and respond to challenges in the operating environment.

In terms of supervisory priorities, he highlighted that “operational resilience, including cyber preparedness, continues to grow in importance”, that there was “important work to do on climate risk, governance, culture and recovery planning” and that “the superannuation sector can expect no let-up in our efforts to expose and eradicate underperforming products or actions that are contrary to members’ best interests”.

The team from Capital Consult has assessed the 2023 APRA priorities which can be summarised as:

Policy Priorities

Modernising the prudential architecture which is a core strategic initiative designed to make the APRA regulatory framework clearer, simpler and more adaptable;
Completing key reforms to strengthen the financial and operational resilience of the system, and improve outcomes for superannuation members; and
Reviewing and rationalising core standards within the framework, including for governance and the regulation of conglomerate groups.

Supervisory Priorities

Heightened supervision on cyber resilience through detailed assessments and rigorous pursuit of breaches;
Embedding the capital reforms for banks and insurers;
·Continuing to hold trustees to account to improve superannuation member outcomes; and
Availability, affordability and sustainability of insurance.

Technology Focus Areas

A New Standard on Operational Risk Management (CPS 230): Scheduled to go live on 1 Jan 2024, this new standard aims to strengthen the management of operational risk and will replace five existing standards for business continuity and outsourcing. All regulated entities must ensure they effectively identify and manage operational risks, are able to continue to deliver critical operations during disruptions, and prudently manage the risks of service providers. The technology function has a key role to play here in assessing and ensuring technology can meet business demands.

NOTE: Capital Consult has developed a short self assessment to assist organisations in understanding their current state readiness and priority of actions to achieve compliance for CPS 230.

Strengthening Operational Resilience: Supporting the preparedness for CPS 230, APRA will continue to focus its supervisory activities on strengthening operational resilience more broadly, including technology resilience. Entities will need to be prepared to demonstrate to APRA that their technology assets are well managed. This includes the ability to meet current and projected business requirements, support critical operations, be fully resilient and manage risks.

Uplifting Cyber Resilience: APRA is receiving the majority of independent assessments of entities’ compliance with the Prudential Standard CPS 234 Information Security. They will conduct targeted deep-dive reviews on areas of weakness for any entities that fail to meet expectations. They will require comprehensive remediation plans and review these to ensure timely rectification and follow up of all gaps identified. APRA will also be assessing Board effectiveness regarding cyber resilience, organisational capability and preparedness. This includes information requests and meetings with board members to understand practices and areas of challenge. Entities should ensure they are fully compliant to CPS 234 as APRA will rigorously pursue breaches of the standard.

Service Provider Concentration Risk: APRA will focus on strengthening operational resilience through the oversight of continuity planning for outsourcing arrangements. End to end resilience including 3rd and even 4th party service provision is expected. High concentration risk amongst critical technology service providers is a key factor in this. Continuity planning where there is a high reliance on service providers for critical operations will need to be considered as part of meeting CPS 230 obligations. Additional points of APRA engagement could be triggered by a change in an entity’s risk profile, material events, transformation and improvement programs, and mergers and acquisitions.

Data Collections: APRA has embarked upon a major data change program. Changes to reporting requirements will require system and process changes in entities which will necessitate planning and resourcing.

Technology underlies a number of the priorities outlined by APRA for 2023. It will be important for technology leaders to understand the role they play in assisting their organisations in meeting APRA’s expectations. Key areas include technology risk management, disaster recovery, cyber resilience and service provider management.

APRA Targets Operational Resilience – CPS230

APRA has released for consultation a new industry standard CPS 230 – Operational Risk Management. This aims to strengthen the management of operational risk in the Financial Services industry including updated requirements to improve business continuity planning and enhance third-party risk management. CPS 230 is a broad framework that will replace five existing standards.

“In strengthening the ability of APRA-regulated entities to identify, manage and respond to operational risk events, APRA is seeking to enhance operational and financial resilience, as well as financial stability” says Wayne Byres, APRA Chair. CPS230 is a response to three key trends APRA has observed in recent years:

1. Control failures: Many operational risk events within industry have resulted from ineffective controls. This can be evidenced through findings from the Royal Commission into the Financial Services Industry and APRA Court-enforceable undertakings.

2. Low tolerance for disruptions: Given the importance of core financial services in everyday life and an expectation that services will always be available. There is an increasing expectation of high availability.

3. Increasing reliance on service providers: The expanded use of external providers (including cloud and other technology providers) extends beyond traditional outsourcing and is resulting in longer and more complex supply chains.

Key requirements of CPS 230

1. Operational Risk Management

The proposed standard outlines a minimum set of expectations to ensure that APRA-regulated entities effectively identify, assess, and manage operational risks. While highlighting the Board’s role, it also clearly places responsibility on senior management for the ownership and management of operational risk.

Under CPS230, the Board is ultimately accountable for the oversight of an entity’s operational risk management (including business continuity and the management of service provider arrangements). It must ensure clear roles and responsibilities for senior managers, must oversee operational risk management and the effectiveness of key controls in maintaining the risk profile within risk appetite. This includes ensuring senior management provides clear and comprehensive information to the Board and acts to address any areas of concern.

CPS230 also sets out several requirements in the areas of risk management framework, operational risk profiles and assessments, controls and incidents. Notably, where APRA considers an APRA-regulated entity’s operational risk management has material weaknesses, it may consider actions including conditions on the entity’s licence.

AREAS TO CONSIDER:

Ensure clear roles, responsibilities and governance arrangements for operational risk management
Maintain end-to-end views of critical processes to inform identification of operational risks and controls
Ensure operational risk controls are embedded, regularly tested, weaknesses reported & remediated
Ensure operational risk incidents and events are identified, escalated, recorded and addressed

2. Business Continuity

AREAS TO CONSIDER:

Maintain a register of critical operations and consider plausible disruption scenarios
Develop BCPs and tolerance levels that are Board approved
Establish a systematic BCP testing program
Ensure periodic review by the internal audit function of the BCP and testing regime

3. Service Provider Management

APRA-regulated entities will be required to identify material service providers and manage the risks associated with the use of these providers. Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk. This includes those that manage critical or sensitive information assets under CPS234. APRA has also designated providers of certain services as material (including core technology services). Notably, APRA may require changes to service provider arrangements where it identifies heightened prudential concerns.

Along with approving the policy associated with managing service providers, Boards will need to review the risk and performance reporting on material service provider arrangements. Internal audit must review proposed material service provider arrangements and regularly report to the Board on compliance to policy. Senior management must maintain oversight of provider performance, effectiveness of controls and compliance with the formal agreement.

AREAS TO CONSIDER:

Maintain a register of material service providers
Develop a Board approved policy that sets out management of arrangements and associated risks
Define the method and process to identifying and managing fourth party risks
Ensure service provider agreements meet the requirements outlined in CPS230
Establish a reporting, monitoring and assurance regime for Boards and senior management to oversee service provider performance, risk and compliance to policy

CPS 230 Operational Risk Management has been tabled with industry for feedback until October 2022. APRA plans to finalise the standard in early 2023.

About the Authors: Mark Zanon and Andre Kreicers are from Capital Consult, a provider of specialist advice, consulting and services to the Financial Services industry since 2008. We assist organisations to interpret and achieve compliance with the APRA prudential standards, guidelines and supervisory directions. Capital Consult has worked with many FSI clients in managing their APRA and regulatory obligations. This includes understanding and managing risk paradigms introduced through technology developments such as outsourcing, cloud computing, digital transformation, AI and Banking as a Service.

APRA Releases its 2021 Priorities

APRA and the 2021 Priorities: What it Means for Technology Leaders of FSIs

APRA has recently released its policy and supervision priorities for the coming year. Their focus is to ensure the effectiveness of the resilience and crisis readiness of Australia’s financial system is further enhanced.

“APRA’s priority is to maintain a financial system that is resilient” said APRA Chair, Wayne Byers, underlining the value of an “ongoing regulatory program that seeks to identify risks and put in place appropriate mitigation strategies to protect the interests of depositors, policy holders and fund members.”

APRA have flagged that in 2021 they will enhance their:

Policies – the framework of prudential standards and practice guides, setting minimum standards under which regulated entities are expected to operate

Proactive Supervision Requirements – APRA can direct FSIs to allocate resources towards areas that pose the greatest risk or impact including anticipating the impact of current and emerging risks

Focus Areas for 2021

A new prudential standard for disaster recovery and resolution planning. All regulated entities will need to ensure they effectively plan for and manage crisis events and periods of stress. Crisis Management, Backup/Restoration and Disaster Recovery testing is likely to be a focus area on future reviews.

Review of requirements related to operational resilience including aspects of outsourcing (CPS231), business continuity (CPS232) and information security (CPS234). A wholistic approach to outsourcing, security and continuity is recommended. Procurement, Security and Operations will need to coordinate and align Frameworks, Procedures and Assurance activities.

Consultation on a new guidance for stress testing focusing on regulated entities approach and maturity for forward looking recovery planning and security threat analysis and testing. Regulated entities will need to provide evidence that they have tested, verified and matured their Disaster Recovery plans, Vendor Contingency and Backup/Recovery processes.

Cyber resilience maturity and effectiveness (CPS234 alignment). Regulated entities will be required to engage external auditors for assessments of compliance and weaknesses, cyber resilience data collection, a cyber information sharing community pilot and cyber resilience testing. Regular cyber maturity assessments are core to demonstrating improvements with a focus on threat analysis to key assets.

Recovery and resilience via effective contingency planning and regular testing of those plans. A credible recovery capability and ensuring simple, credible resolution strategies are in place is expected. Proof of contingency, disaster and backup recovery capability will be core to demonstrating credibility. There will be a focus on the Superannuation industry with recovery and resolution planning reviews.

Assessment of the range and concentration of service providers used by regulated entities. A review, and regular process of reviews of all technology vendors, the services provided and a risk-based assessment of contingency plans for key services

In flagging these priority areas for 2021, APRA have indicated that the bar is being raised. Previous expected practice will now be the required norm. 2021 will set the importance of aligning Outsourcing, Continuity and Security and their continued improvement and maturity. This will be a period where proving and improving resilience and crisis readiness is required, in addition to current governance, assurance and reporting requirements.

About the Author: Mark Zanon is the Managing Director of Capital Consult who have been providing specialist advice and services, assisting organisations dealing with APRA since 2008. We assist organisations to interpret and achieve compliance with the APRA prudential standards, guidelines and supervisory framework, with a core competency on technology regulatory compliance.

APRA calls out FSIs on Cyber

APRA Executive Board Member, Geoff Summerhayes has recently delivered a speech on APRA’s view of Cyber Security maturity within the Australian Financial Services Industry, including the release of a 4 year Cyber Security Strategy. This is a compelling read for all executives and Board members, especially those having direct BEAR accountability related to impacts and risks related for cyber health.

To date, there has not been a material cyber breach in any in any APRA-regulated banks, insurers or super funds. However, APRA sees there is still room for improvement as they are “still seeing too many basic cyber hygiene issues across the industry”.

The APRA Cyber Security Strategy 2020 – 2024 aims to raise standards and introduce heightened accountability. The intention, as per APRA’s “constructively tough” enforcement philosophy, is to expedite positive change to protect institutions and the customers that rely on them as part of the broader financial system.

Key elements of the APRA Cyber Security Strategy include:

1. Board Oversight, Action and Accountability

APRA has made it clear that, in general, they do not see Boards exercising their obligations regarding cyber risk. This is due to a combination of not being properly informed and capability in understanding what actions to undertake. APRA is now moving to an evidence-based approach for Board cyber risk oversight. “In light of evidence that Boards frequently don’t understand or are not adequately informed about cyber risks, we’re no longer prepared to simply take their words for it – we want compliance independently verified” said Mr Summerhayes. APRA will achieve this by formulating sound practice guidance and stepping up APRA’s scrutiny of cyber oversight practices.

The obligations here are clear. “Where gaps are sufficiently material, we will consider forcing entities to issue a breach notice and create a rectification plan. If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action” said Mr Summerhayes.

2. Targeted Compliance to Prudential Standard CPS 234

APRA released the information security standard in July, 2019. With compliance expected by the start of 2021, around 100 entities have indicated shortcomings and requested extensions to compliance. APRA is seeing basic cyber hygiene issues and experienced key weakness especially in establishing a baseline of cyber controls, testing capability and incident response.

APRA will now take a targeted approach towards ensuring CPS 234 is fully complied with. Specifically, APRA is calling on Boards to undertake a CPS 234 compliance review through an external audit partner. They will be asked to report back to the Board and APRA themselves.

3. Downstream Provider Risk

There is clear acknowledgement from APRA on the complexity of the value chain provider ecosystem within the industry. Along with the ~680 entities that APRA supervises, they estimate a further 17,000 entities are interconnected to the industry. This creates a very broad risk radius of cyber threats that have the potential to materially impact the financial system.

APRA aims to rectify weak links within the broader financial services eco-system by fostering the maturation of provider cyber-assessment and assurance as well as harmonising the regulation and supervision of cyber across the financial system. The APRA Cyber Security Strategy will introduce a broader set of tools and techniques for downstream and ecosystem risks.

4. Enhanced Role of Internal Audit

APRA has observed the role and capability of internal audit functions in many entities, lack sufficient cyber skillsets, are under-resourced with methodologies being under-developed. This includes audit committees failing to act on recommendations, a lack of understanding about cyber risks and exposures and insufficient investigations aligned to cyber risk exposures.

APRA’s experience is that the consequence of this is that many boards are not properly informed about the true state of their entity’s cyber security position or risks. This also is leading to a failure of understanding of why urgent action is required.

APRA’s cyber strategy will include enhanced cyber guidance for board members, internal auditors and risk management professionals.

APRA will be enforcing cyber related performance, oversight and compliance, in a constructively tough manner. The impact of cyber risk on the Australian financial services industry is increasingly of concern to APRA will now take a proactive approach.

Capital Consult has assisted many FSIs through APRA readiness and compliance in the technology, outsource and risk domains. As such we are well placed to provide advice and methods to implement our 6-step action plan towards APRA ready cyber maturity and regulatory compliance.

Design and implement a board education program including organisation cyber maturity, performance and health metrics. Ensure a clear understanding of board obligations aligned to risk appetite, BEAR accountabilities and APRA prudential obligations e.g. CPS 234.
Implement a dedicated program of work towards all aspects of CPS 234 compliance and operating maturity. This includes provider performance and risk. Ensure this has a line of sight to the board.
Commission a 3rd line assurance/audit review of CPS 234 compliance reporting to the board. This should be done via a combined internal and external audit partnership.
Assess the internal audit function capability and maturity specific to cyber risk as part of the CPS 234 audit. Review the annual audit plan for regular cyber reviews.
Implement an asset register of key providers categorised and prioritised by business value and performance, sensitivity, criticality and cyber. Assess and classify for business risk against the policy environment.
Design and implement a provider assurance framework and plan aligned to the contractual, governance and policy framework to ensure ongoing assessment and reporting of risk including cyber.

APRA – The Latest on Cyber Security Maturity in Financial Services

APRA member Geoff Summerhayes has recently delivered a speech on APRA’s view of Cyber Security maturity within the ~600 Australian Financial Services Institutions. This should be compelling advice for all risk, technology and cyber professionals in financial services.

The focus of cyber security resilience within financial services has been obvious through APRA publishing the first prudential standard on information security (CPS234 effective 1st July, 2019). (For more detail see my previous article here). As well, the 2020 APRA Corporate Plan elevated the improvement of cyber resilience across the financial system to one of the top four strategic priorities.

The perspective of adopting an “assumed breach” mentality – assuming that information and security defences will, at some point be compromised is key. Ensuring the systems and experienced personnel available to “repel the attack, re-secure the network and rectify any damage.”

This is not just lip service with APRA being formally advised of 36 incident notifications since July, 2019.

Some specific weaknesses APRA have noted (and will obviously be targeting) regarding cyber security maturity include:

Basic cyber hygiene as an ongoing area of concern. This includes having systems for which the vendor is no longer providing support or security updates. The lack of a comprehensive security patching regime and poor access management practices are also common.
Failure to define a complete inventory of their information assets and subsequently implement effective oversight where assets are managed by third parties. This includes both cloud-based services and traditional support arrangements.
Immaturity in assessing and gaining assurance regarding the information security capability of third parties that manage information assets on FSIs behalf.
Reliance solely on certifications or other forms of assurance provided by third parties without considering the sufficiency of the assurance these provide.
Immaturity in the control of privileged access to systems. Handing over the “keys to the kingdom” and allowing access to information and systems without tight controls.

These weaknesses are all components of CPS234. Of interest is that APRA have reported that over 70 per cent of APRA regulated entities, self-assessed CPS 234 compliance gaps. Identification is obviously the first step. A plan of remediation with evidence of control effectiveness is key to gaining APRA’s confidence.

As an outcome APRA will be increasingly challenging entities by utilising data driven insights to prioritise and tailor extended supervisory activities. This will inform the creation of baseline metrics against which APRA regulated institutions will be benchmarked and held to account for maintaining their cyber defences. APRA will also be improving their own capability by increasingly utilising third party expertise.

APRA will be enforcing in a “constructively tough” manner.

APRA CPS 234. Are You Ready?

APRA has released a new Prudential Standard “CPS 234: Information Security”. This sets out minimum standards for all Regulated Financial Services Institutions (FSIs) in Australia, regarding resiliency towards security incidents and information security capability. This standard is based on the Prudential Practice Guide CPG 234: “Management of Security Risk in Information and Information Technology” published May 2013. Regulated FSIs are expected to adhere to all aspects of the new standard as it becomes effective on 1st of July, 2019.

APRA applies relevance, international standards consistency, good practice, facilitating sound risk management and industry consultation in the ongoing review of the prudential framework. APRA has engaged with industry bodies, regulated entities and service providers and taken on board feedback in the creation of CPS 234 Information Security.

A recent review by Capital Consult of selected FSIs concluded that over 68% do not yet fully adhere to the new standard and over half of these are not fully aware of their gaps to adherence.

The responsibility and accountability of adherence to the standard sits not only within the IT or Security department, but more broadly across the organisation. The standard covers nine key areas:

1. Roles and Responsibilities

These need to be clearly defined related to security regarding decision making, approvals, oversight and operations. It’s important to ensure this covers all levels of governance, including Board responsibilities, governing bodies and individuals. “The Board must ensure that the organisation maintains information security”.

2. Information Security Capability

The continued sound operation of the organisation can be directly aligned to the maturity of people, processes and technology. Capability must be maintained in respect to changes in vulnerabilities, threats, information assets and the business environment. APRA also expects capability of any related or third party managing information assets to be assessed and potential consequences understood and acted upon.

3. Policy Framework

An information security management policy framework must be current and approved. This needs to cover all parties who have an obligation to maintain information security.

4. Asset Identification and Classification

All information assets including those managed by related and third parties, must be classified by criticality and sensitivity. This classification must be aligned to the potential impact on the organisation of security incidents.

5. Implementation of Controls

Security controls must be implemented. These need to consider vulnerability, criticality vs sensitivity, life cycle and potential consequence. For any controls managed by related and third parties, the organisation must evaluate their design and effectiveness.

6. Incident Management

The ability to detect and respond to security incidents in a timely manner is required. This must include response plans for impacting incidents which need to be annually reviewed. These must cater for all stages of incident management and include escalation and reporting.

7. Testing and Control Effectiveness

Information security controls must be tested through a systematic test program, at least annually. For any controls managed by related and third parties, the organisation must assess the nature, frequency and effectiveness of this testing. Testing must be done by independent specialists with appropriate skills. Any deficiencies that cannot be remediated must be escalated to the Board or senior management.

8. Internal Audit

Activities conducted by the internal audit function must include reviewing the design and operating effectiveness of information security controls including those maintained by related and third parties.

9. APRA Notification

The organisation must notify APRA no later than 72 hours after any material security incident. It must also notify APRA within 10 business days of any security control weakness that cannot be remediated in a timely manner.

CPS 234 Information Security is effective from 1st July, 2019. APRA would expect regulated entities to be able to provide evidence as to the effectiveness of their operating environment to ensure it adheres to all aspects of the standard.

Our recommendation is that entities undertake a detailed gap analysis and remediation of their security related operating environment against the CPS 234 requirements. Capital Consult have identified 56 specific areas of adherence and expected supporting evidence that should be reviewed. In our experience, common areas of weakness include:

Data loss prevention capabilities, including aligning cloud and on premise controls
Inadequate data life cycle controls
Security posture metrics and reporting
Informal assurance of vendor security capability
Limited clarity on roles and responsibilities in cloud shared responsibility environments
Insufficient security awareness through the organisation
Board or exec oversight of security effectiveness

Priority should be given to identifying and categorizing all information security assets managed by related and third parties. An assessment and response by these parties should be analysed with areas of weakness addressed.

Capital Consult is currently assisting FSI organisations with adherence to the new Prudential Standard CPS 234 Information Security. For more information, advice or assistance contact us at Capital Consult.

APRA Cloud Information Paper – Overview and Action Plan

APRA has recently updated their Information Paper on “Outsourcing Involving Cloud Computing Services”.

This was originally published in 2015, with APRA’s perspective commensurate with the emergence of cloud services and technologies.

At the time APRA noted “risk management practices, including risk identification and mitigation techniques, are still maturing for these types of arrangements”. In their current, updated Information Paper, APRA now sees “entities have also improved their management capability and processes for assessing and overseeing the services provided”.

Overall APRA has now expressed a more open stance on cloud usage. However there are still areas of weakness identified as part of APRA’s supervisory activities that regulated entities are expected to address. This translates into 16 new requirements covering continuity of operations, strength of control environments, assurance and audit and APRA’s role and requirements as the regulator.

The key aspect of APRA’s oversight of cloud outsource arrangements remains that risks be understood and managed. The aggregated risk profile should be classified into three broad categories of low, heightened or extreme. Each has a different requirement for APRA’s review and consultation. Regardless of the risk profile, expected practice involves oversight and acceptance of the risks through the organisation’s governance process.

As with most regulations, standards and guidelines, difficulty comes in translating these into pragmatic actions with supporting evidence. This is important with an increased appetite within the financial service industry, towards heightened and extreme risk events such as migrating ‘systems of record’ to the cloud.

The APRA Information Paper can be used as a blueprint to commence your cloud journey towards meeting regulatory requirements. Applying this and our experience assisting over a dozen regulated entities with cloud readiness and APRA approvals, we recommend the following 9 point action plan. This is a good starting point towards cloud readiness and APRA submission for cloud workloads.

Materiality & Risk

Complete a materiality assessment of criticality vs. sensitivity of assets and information in scope. Identify cloud specific risks & controls (~60 risks across 8 cloud domains). The aggregated risk profile should be aligned the organisation’s risk appetite.

Strategy Alignment

Define and approve the cloud/outsource strategy covering both technical and non-technical aspects. Ensure this is aligned to business and broader IT strategies and includes target architectures and target op model.

Governance & Assurance

Define the governance framework of the delivery program and ongoing management of cloud services. Review and accept the solution and risk profile by the Board or approval body. The assurance approach should include an independent audit/assurance of cloud delivery, risk and solution.

Selection & Solution

Complete a vendor assessment and formal selection process and clearly define scope of cloud services, assets and information. Undertake a detailed due diligence of the cloud vendor services – security, technical and operational.

Transition

Plan for a lower risk approach via proof of concepts and initial non material workloads. This is especially important for heightened risk arrangements. Define go/no go criteria and rollback scenarios.

Security and Information Management

Classify all assets and data and apply life cycle controls commensurate with data criticality & sensitivity. Complete detailed security assessments of both the cloud vendor environment and organisation roles. Use a combination of controls, security assessments and testing along with 3rd party attestations.

Resilience

Design a resilience strategy for the cloud solution covering availability, recovery and contingency. Define the contingency approach and plan for vendor failure. Align to existing business continuity plans and test disruption scenarios covering planned and unplanned events.

Operating Model

Design the target operating model ensuring clarity of roles between the organisation and cloud vendor. We recommend implementing a cloud operations RACI (123 detailed cloud operational functions). Define the transition and change management approach to cloud related ‘ways of working’.

Regulatory

Ensure contracts allow for APRA access to information and vendor sites. Complete assessments against all other APRA standards and guidelines that are relative to cloud and outsourcing. Design your APRA engagement and consultation plan ensuring proactive communication adequate evidence.

APRA has defined the expectations of organisations when it comes to consultation with them ultimately towards APRA’s “no objection”. In summary:

Notify APRA prior to entering any arrangements:

For any offshore arrangements
For any extreme inherent risk arrangement

Notify APRA prior but after internal governance approvals

For any heightened inherent risk arrangement

No need to notify APRA

For any low inherent risk arrangement

In summary, APRA’s updated Information Paper is a good blueprint towards regulatory ‘no objection’ for cloud and outsource arrangements. Ensuring focus on all three aspects of risk management, APRA standards alignment and supporting evidence are key in your APRA journey.

To quote APRA:

“we will seek to ensure that regulated entities risk management and mitigation techniques are sufficiently strong when utilising cloud computing services that involve heightened inherent risk or an extreme impact if disrupted”

For assistance with your cloud outsource readiness and APRA submissions and approval, contact us at Capital Consult.

Learn More:

Operational Risk Management:

Business Continuity:

Service Provider Management:

Learn More:

APRA’s 2023 Priorities and Areas of Focus for Technology

Policy Priorities

Supervisory Priorities

Technology Focus Areas

Key requirements of CPS 230

1. Operational Risk Management

2. Business Continuity

3. Service Provider Management

APRA and the 2021 Priorities: What it Means for Technology Leaders of FSIs

Focus Areas for 2021

1. Board Oversight, Action and Accountability

2. Targeted Compliance to Prudential Standard CPS 234

3. Downstream Provider Risk

4. Enhanced Role of Internal Audit

1. Roles and Responsibilities

2. Information Security Capability

3. Policy Framework

4. Asset Identification and Classification

5. Implementation of Controls

6. Incident Management

7. Testing and Control Effectiveness

8. Internal Audit

9. APRA Notification

Materiality & Risk

Strategy Alignment

Governance & Assurance

Selection & Solution

Transition

Security and Information Management

Resilience

Operating Model

Regulatory

About Us