APRA releases new standard of operational risk management

The Australian Prudential Regulation Authority (APRA) has made moves to bolster cyber security with a new standard that holds major financial institutions accountable in the event of a cyber incident.

The Prudential Standard CPS 230 Operational Risk Management (CPS 230) ensures that organisations hold the responsibility for managing cyber risk.

In a statement issued on its website, APRA has said that CPS 230 will provide “a foundation for APRA-regulated entities to:

“Strengthen operational risk management through new requirements to address identified weaknesses in existing controls;
“Improve business continuity planning to ensure they are positioned to respond to severe disruptions; and
“Enhance third-party risk management by ensuring risks from material service providers are appropriately managed.”

While CPS 230 covers a variety of areas of operational risk, cyber attacks and data breaches present a major danger to businesses.

============

Major cyber attacks on businesses like financial institutions such as Medibank and Latitude have proven to be incredibly damaging examples of what can go wrong when operational risk is not properly managed.

APRA chairman John Lonsdale has said that disruptions to financial services cause major issues for consumers and parties who rely on them on a daily basis.

“Disruptions to financial services can cause a major detrimental impact to the people who rely on them to pay bills, recover from financial loss or support themselves in retirement.

“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches.

“This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur,” Lonsdale said.

VIEW ALL

Lonsdale added that it was not just the responsibility of organisations to manage their operational risk and ensure that their systems remained secure, but that it was expected that implementation of the regulatory standard be done in advance before its commencement on 1 July 2025.

“We expect regulated entities to be proactive in preparing for implementation rather than waiting until the last minute to get ready to meet the new requirements,” said Lonsdale.

“There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility.”

The finalisation of CPS 230 comes a year after APRA first commenced an industry consultation into the management of operational risk.

Alongside the finalisation of the standard, APRA has also released a draft of the Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230).

The draft guide will be consulted by APRA until 13 October 2023.

Copies of CPS 230 and CPG 230 can be found on the APRA website.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it

newsletter

Be the first to hear the latest developments in the cyber industry.

APRA releases new standard of operational risk management

Daniel Croft

Introducing Cyber Daily, the new name for Cyber Security Connect

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED