Financial services and insurance (FSI) organisations in Australia have been warned that their data platforms and cloud strategies may not be compliant with the Australian Prudential Regulation Authority (APRA) new CPS 230 Operational Risk Management framework. The new framework, which was introduced in July 2022, will come into effect on January 1, 2024, and aims to make APRA regulated organisations more resilient to risk and disruptions, including cyberattacks.
The CPS 230 framework introduces new requirements for operational risk management and updated business continuity requirements, including the allocation of specific responsibilities to the Board of Directors and senior management of companies affected, as well as managing the risks associated with the use of service providers. To comply with CPS 230, regulated entities must review, assess and adapt the risk tolerance inherent in their systems architecture and ensure that all systems policies and procedures prevent disruption to critical systems within set tolerances.
According to Patrick Fair, Principal at Patrick Fair Associates, a law firm specializing in technology, privacy, and data governance, “CPS 230 will be an onerous set of substantially new requirements for APRA regulated entities to introduce policies, processes and systems that are capable of managing and overcoming business risk.” Fair further stated that “reducing and managing the risk associated with the management of material service provider arrangements also creates a complex challenge for hybrid cloud environments and systems where key data processing functions are associated with any single provider.”
This warning comes as recent research from MongoDB and Forrester shows that 40% of FSI organisations’ current data platforms have an inability to meet security requirements. Anoop Dhankhar, Country Manager, ANZ for developer data platform MongoDB, noted that “when it comes to business continuity and resilience, financial services providers are challenged by the sheer number of critical, customer-facing applications, services and user point of sale (POS) devices they have to deal with, and the uptime and data protection needed to keep all of it safe and available at all times.”
Dhankhar added that “compliance and resilience can only be achieved by having each one of the critical applications – and the underlying infrastructure – hosted in multiple clouds at once so in the event the financial institution or the cloud provider experiences an outage, data is safeguarded and available for applications to use.”
The same Forrester-MongoDB report also revealed that as data demands grow and change, three-quarters of FSI decision-makers say their organisation needs an integrated data platform as the foundation from which to address the diversity of the workloads/functions that modern applications require, and that includes security.
To achieve compliance by January 1, 2024, Fair recommends a step-by-step approach for Australian organisations. “It is important to assess your current systems and identify any gaps or areas that need improvement,” he said. “Next, develop and implement new policies and processes that are capable of managing and overcoming business risk. Finally, monitor and review your systems regularly to ensure ongoing compliance and identify any areas for improvement.”
Overall, APRA’s CPS 230 Operational Risk Management framework is set to introduce new challenges for FSI organisations, particularly with regards to data security and the use of service providers. By taking a step-by-step approach, however, these organisations can ensure compliance by the January 1, 2024 deadline.