Our latest insights

As we watch the ramifications of the recent widespread data breach continue to play out in the media and on the floor of Federal Parliament, I keep reflecting on the requirements of APRA Prudential Standards CPS 234: Information Security and the draft Prudential Standard CPS 230: Operational Risk Management. If ever there was any doubt in the minds of Boards or Management as to why the focus on cyber security and operational resilience, then the current situation brings this into stark focus.

APRA has released draft Prudential Standard CPS 230 Operational Risk Management for comment. CPS 230 will replace CPS 231: Outsourcing and CPS 232: Business Continuity, and the sector specific standards HPS 231, SPS 231 and SPS 232. What is operational resilience? Operational risk management analyses and defines risks associated with people, processes, and systems. Operational resilience defines the approach to managing operational risks.

Following the announcement of the CPS tripartite audits in November 2020, APRA began issuing notices to regulated entities to undergo the independent assessment. The reviews are part of APRA’s four year strategy to increase the rigor of compliance with CPS 234: Information Security.

With the 2022 financial year coming to a close, private health insurers face a number of considerations in regulation and their year-end financial reporting.

APRA’s feedback focuses on ensuring recovery from high-impact cyber-attacks. Boards are encouraged to seek assurance on the entity’s likely ability to recover from a high-impact cyber-attack.

On Tuesday 23 November 2021, APRA released commentary following the conclusion of its pilot initiatives – the tri-partite audit and technology resilience data collection.

APRA has now begun issuing notices to regulated financial institutions advising them to start preparing for CPS 234 tripartite reviews.