Resilience has become a board-level concern for the Australian financial services industry ahead of the new CPS 230 operational risk management regulations from industry regulator the Australian Prudential Regulatory Authority, according to industry experts.
Australian banks, insurers and superannuation funds must meet APRA’s new consolidated CPS 230 standards for operational risk management. Businesses classified as “critical” financial institutions must comply by July 2025, while non-critical financial institutions must comply with certain business continuity requirements and scenario analysis requirements by July 2026.
The mandate focuses on corporate resilience. Agencies subject to CPS 230 must ensure continuity of critical operations during business disruptions. Compliance with these regulations is closely tied to technology, as organizations must maintain operational technology to provide critical services in situations such as cybersecurity incidents and other disruptions.
Jamie Simon, director of banking and financial services at Amazon Web Services, told TechRepublic that APRA-regulated industries are well prepared for the introduction of new requirements next year.
“We have now spent quite a bit of time understanding the intent and working with our customers to help them prepare for this. It’s going very well across the industry,” Simon said.
Real-life examples highlighting the importance of resilience
Resilience, along with cybersecurity, has become a top priority for APRA’s regulator board. There is now increased attention from top to bottom to ensure that businesses can effectively meet their obligations.
A key driver of this change is CPS 230, which assumes the Board of Directors responsibility for overseeing operational risk management, including business continuity and service provider contract management.
Recent public incidents in the sector have further highlighted the importance of resilience, providing boards with concrete examples of what can go wrong and why proactive oversight is essential.
Last October, an outage at the Australian Retirement Trust, the country’s second-largest pension fund, meant about 100,000 pensioners had to wait an extra five days for their payments. That same month, system issues and outages also affected Westpac, where customers struggled to access banking and payments for three days.
Note: Data Center Outages Put Risk Mitigation in Focus
“Any time there is a public event of any kind, it increases the level of visibility and awareness at the board level,” Simon said. “Regulators are placing more emphasis on ensuring that posture, positioning, design and work practices are actually robust and well set up to minimize or prevent such incidents in the future.”
He added that there is a bell curve when it comes to preparing the market for regulations like CPS 230, and it is influenced by each agency’s capacity and capacity to understand and prepare for it. However, he said some of the larger companies, which carry more risk and would be subject to regulation first, were establishing their own risk practices that exceeded APRA guidance.
“They are actually in a much better position than the outline or call for guidance. I think this is a really positive thing for the Australian financial services industry,” Simon said.
SaaS system observability is considered a key way to increase resilience.
Visibility of the SaaS supply chain is an area the financial services industry is driving. As part of APRA’s CPS 230, the financial services industry must strengthen third-party risk management to support resilience and ensure all risks of critical service providers are appropriately managed.
“Regulatory changes mean we need to take more responsibility for understanding and managing the entire supply chain,” Simon said. “I think this is where a lot of people are going ahead of the guidelines. They are working really hard to understand what complete end-to-end looks like and to work with their suppliers.”
Simon said one industry trend is the massive adoption of SaaS third-party providers. Agencies are no longer running the infrastructure themselves, but are asking providers to run the physical infrastructure on top of what “can sometimes be very critical workloads.”
Note: Obsidian Security warns of increasing SaaS threats to enterprises.
Simon said ensuring strong observability across all systems and third parties is key. This includes having the right tools in place to monitor, understand, and proactively identify risks across your own and third-party systems. This requires institutions to partner with major cloud service providers such as AWS.
“AWS is really working to provide the right level of visibility across our systems so our customers can have confidence that their entire supply chain is protected and secure,” he added.
Resilience can be a driver of innovation
Considering the impact disruption can have on businesses and the customers who suffer as a result, a focus on resilience is necessary.
“Any significant disruption in visibility that disrupts customer service for a period of time can lead to customer churn,” Simon said. “This can lead to significant customer dissatisfaction, which can have a significant impact on sales. This applies to all industries, not just financial services institutions.”
However, he explained that common approaches often compromise driving innovation and resilience. “It’s often talked about as a balanced approach, as if you’re trying to find a balance between the two.”
See also: How has AWS responded to the 2023 generative AI wave?
But he said that we strongly believe that if AWS has a strong resilience and security position, “we can actually move more confidently and faster as we start to innovate in AI, business process automation, customer experience automation, etc.”
“This allows us to drive significant automation into our resiliency and security practices, which helps us improve and becomes a really positive flywheel effect,” he said.
Rather than viewing resilience as a trade-off against innovation, the relationship between the two can be seen as driving faster, safer innovation through better resilience and security, he said.
