APRA tightens operational regulations

In the wake of recent significant cyber-attacks and data breaches in Australia, including against health insurer Medibank and Financial Service Provider, Latitude, the Australian Prudential Regulation Authority (APRA) is seeking to strengthen operational risk management across Australia’s Finance sector. 

On Monday, APRA released the final version of its new Prudential Standard CPS 230, providing the foundation for APRA-regulated entities to:  

• strengthen operational risk management through new requirements to address identified weaknesses in existing control;  
• improve business continuity planning to ensure they are positioned to respond to severe disruptions; and  

• enhance third-party risk management by ensuring risks from material service providers are appropriately managed 

CPS 230, to commence on 1 July 2025, focuses specifically on operational risk management within financial institutions. Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, people, or systems or from external events. CPS 230 sets out APRA’s expectations for financial institutions in managing and mitigating operational risks effectively. 

Cyber risks continue to increase and are a major focus of the prudential standard, with APRA Chair, Chair John Lonsdale stating, “The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches…” adding “We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements.  

It expects financial institutions to identify, assess, and manage cyber risks, including those arising from their supply chains. The standard emphasises the importance of due diligence, monitoring, and implementing appropriate controls to mitigate cyber threats within the supply chain. 

The Defence supply chain has long been a target for adversaries and malicious actors.  

The APRA Prudential Standard CPS 234 Information Security sets out the requirements for managing cyber risks, including those arising from service providers. CPS 234 places a strong emphasis on the importance of service provider cybersecurity and requires organisation to consider the following when managing service provider risks: 

Due Diligence: Financial institutions must exercise due diligence in selecting and managing service providers that have the capability to maintain appropriate information security standards. This includes thorough assessments of the service provider’s security capabilities, including their ability to manage cyber risks. 

Information Security Requirements: Financial institutions must clearly define the information security requirements for service providers in their contracts or service agreements. These requirements should align with the financial institution’s cybersecurity objectives and be commensurate with the risks associated with the services provided. 

Ongoing Monitoring: Financial institutions must monitor the service provider’s compliance with the agreed-upon information security requirements. This may include regular assessments, audits, or reviews of the service provider’s security controls and practices. Financial institutions should be proactive in addressing any identified deficiencies or risks. 

Notification and Incident Response: Financial institutions must establish processes for the timely notification and response to cybersecurity incidents involving their service providers. This includes promptly notifying APRA of any material information security incidents and keeping appropriate records of the incidents and responses. 

Access Controls: Financial institutions must ensure appropriate access controls are in place for their service providers. This includes defining and regularly reviewing the levels of access provided to the service provider, ensuring that access privileges are aligned with business requirements, and promptly revoking access when it is no longer required. 

Business Continuity Management: Financial institutions must assess the service provider’s ability to maintain business continuity in the face of a cybersecurity incident. This involves evaluating the service provider’s incident response plans, backup strategies, and disaster recovery capabilities. 

All organisations need to implement robust practices for managing cyber risks from their service providers. By adhering to these requirements, financial institutions can enhance the overall resilience of their information security frameworks and effectively mitigate cyber risks arising from their service provider relationships. 

The defence industry has long understood the importance of managing cyber security risks associated with their service providers and other 3rd parties. Malicious criminal actors and foreign adversaries are increasingly exploiting these same service provider vulnerabilities in all critical industries, such as financial institutions, government other critical infrastructure organisations. 

Even companies that may not consider themselves part of the critical infrastructure industry may provide services to such organisations and be identified by adversaries as an opportunity to exploit their less protected systems. 

It is important for all organisations not only to evaluate and manage their internal cyber risks but consider their supply chain and service providers. This may seem a daunting and complex undertaking, but with the right advice and assistance cybersecurity programs can be developed and aligned with existing frameworks, reducing external risks and building resilience within your systems.