Football Australia has become the latest high-profile Australian organisation to hit the news for a cyber breach, after reports began circulating that information, including players’ passport details, have been circulating online for two years.
Australian authorities are not sitting idly by as hackers continue to target institutions in the country. Late last year the government announced a AU$384m (US$250m) cybersecurity strategy and regulators are eyeing the financial services sector keenly.
Insurers in the country, along with the whole financial ecosystem, are now preparing to implement operational risk standard CPS 230 that will be effective from 1 July 2025.
The Australian Prudential Regulatory Authority (APRA) released its regulatory priorities for the first half of 2024 at the end of January and its explicitly linked operational and cyber risk.
“For the period ahead, APRA [will focus on] operational and cyber resilience for all regulated entities, reflecting the growing reliance on digital technologies by entities and the community,” APRA said.
Bryony Evans
Partner at King & Wood MallesonsAccording to Bryony Evans, Sydney-based partner in King & Wood Mallesons’ tech practice, the increased level of cyber risk faced in Australia is a major driver behind the impending CPS 230 standard, and also the proliferation of new technologies.
“Cyber and the increased use of different types of technology across the financial services sector, including insurance, is a big driver for the different approach with CPS 230, compared to the current standard. And that’s been flagged by APRA.
APRA expects the rate of implementation for dealing with cyber risk should be better than it currently is in Australia.
That comes out of not just the audits the regulator has completed but also things like the data breaches that we’ve seen in Australia recently and how they’ve been responded to,” says Evans.
Royal Commission
Cyber risk may be regulators current focus but Jane Stanton, Sydney-based partner at consultants Grant Thornton, says that CPS 230 is also the product of the 2018 Royal Commission which looked at the financial services sector.
She says that a key finding of the commission pointed to weaknesses in the management of non-financial risks, such as operational risk.
And while APRA’s CPS 231 outsourcing standard has been in force since 2017 there is now a need to focus more clearly on the risks this activity poses.
“Because operational risk is decentralised, it’s much harder for an organisation to identify and therefore manage it.
Australia has had an outsourcing prudential standard for a number of years. Outsourcing and the use of service providers are very much embedded in the Australian financial services sector and there can be a lot of operational risk associated with this particular ecosystem.
The last factor is resilience and critical operations, which for insurers will always include claims.” says Stanton.
Stanton says that carriers need to focus on their critical operations by determining factors such as tolerances around outages and establishing where the control gaps are in their systems.
Jane Stanton
Partner at Grant ThorntonClaims Processes
“For insurers focusing on their critical operations the first place to start is by looking at the claims process,” Stanton says.
King & Wood Mallesons’ Evans says that APRA is looking at all third party relationships as part of CPS 230 and that this means reinsurance treaties will need to be scrutinised,
“APRA has said that it expects reinsurance agreements are going to be regulated and have the same type of oversight as a technology or services agreement.
Jane Stanton
Partner at Grant ThorntonInsurers need to look at that and work out how to negotiate with their reinsurance partners to insert similar types of revisions into a contract that they would with, say, a software provider.”
Evans says that APRA expects insurers to have conducted a gap analysis in order to understand the key risks their business faces. And just like a tricky maths problem, firms will need to be able to show how they arrived at their conclusions.
“In terms of practical steps APRA has said that it’s actually expecting to see the results of that gap analysis and they’re expecting it to be pretty detailed.”
Another challenge for insurers will be looking at the tertiary impact of outsourcing agreements with APRA requiring that insurers have oversight of fourth and fifth party outsourcing, as well as third party.
Fourth or fifth party outsourcing is when an outsourcing provider then offloads out of its work to an additional firm (fourth party). If this company then goes onto to use a service provider, the end firm will be providing fifth party outsourcing services.
Fifth party outsourcing
Under the impending CPS 230 regulation firms will need the same level of insight and obligations in relation to their fourth and fifth party outsourcing as they do their third.
“This is difficult because insurers will need to have transparency through the arrangements and firms will not be able to rely on submissions from providers; Firms can outsource the services but not the risks,” says Stanton.
Evans also points to the much broader scope of third party suppliers which will be contained within CPS 230 compared with the existing outsourcing standard.
Once these suppliers have been identified insurers will need to communicate with them and ensure they are meeting the requisite standards.
Bryony Evans
Partner at King & Wood Mallesons“This standard takes a much broader approach than previous outsourcing requirements so there’s a possibility for more suppliers to be caught within the net of CPS 230.
They will need to be audited and insurers will require greater oversight and transparency over these relationships compared to what currently exists.
Insurers need to be aware that CPS 230 means there’s a whole world of suppliers out there and they need to have a conversation with them. And these could be suppliers which have never had to deal with prudential standards before,” says Evans.
Evans adds that once these suppliers have been correctly identified insurers will need to review – and potentially negotiate their contracts with – these suppliers.
That’s potentially a big piece of work. And while there’s extra time for existing contracts, new contracts that come into place, post 1 July 2025, have to be meeting those requirements.
Reviewing these contacts is a potential bottleneck for insurers because firms will need to be able to define who it’s going to apply to first before they even get boots on the ground and start talking to suppliers.”
