Regulators and industry experts are urging Australian financial institutions to look more closely at third-party operational resilience, amid concerns that current arrangements are inadequate to guard against serious – but plausible – threats.
The situation is particularly acute where oversight of third-party cyber resilience is concerned. A recent ‘Cyber Pulse’ survey conducted by the Australian Securities and Investments Commission (ASIC) and published last week, found that 44 per cent of market participants do not manage third-party or supply chain risks where cyber security is concerned.
Cyber security is by no means the only operational risk facing institutional investors, but it is a critical one.
Despite this, the survey found that a ‘concerning 69% of the 697 survey participants indicated they had minimal or no capabilities in supply chain and third-party risk management, with 58% of participants indicating they do not test cyber security incident responses with critical suppliers.’
The Australian Prudential Regulation Authority (APRA) uncovered similar weaknesses earlier this year when it conducted an independent tripartite cyber assessment to check compliance with CPS 234 Information Security.
With respect to third parties, the review found that information security control assessment plans for third parties have limited scope, or in some cases, do not exist; control design and operating effectiveness are often based on the third party’s self-assessment only, without verification through additional independent testing; control testing evidence is not being retained to substantiate test conclusions; and the nature and frequency of testing is not aligned to the criticality and sensitivity of information assets managed by third parties. This is despite the fact that regulated entities have had more than four years to come up to speed with the standard, which came into effect in July 2019.
The findings caused APRA Member Therese McCarthy Hockey to state in a recent speech that the regulator was “rapidly running out of patience” with the slow uptake of CPS 234.
The regulators’ comments are backed by industry experts and third parties themselves – particularly those who work with global businesses and are used to more stringent reviews and due diligence conducted in regions like Europe and the US.
“Compared to markets like Europe and the US, where operational resilience is taken extremely seriously, the situation in Australia is less than ideal,” Karti Mahendran, Principal at Deloitte told Fund Business.
“In Europe and the US, you can’t tick a box without a regulator asking you follow up questions. ‘Do you know what you have ticked? Why did you tick it? Where is the evidence for where you have ticked?’ In Australia, organisations will usually find the most feasible service provider to effectively tick a box to confirm to APRA and ASIC that the client is conformant and that’s considered acceptable.”
The result, Mahendran said, is that regular business continuity process (BCP) and disaster recovery (DR) reviews continue to highlight situations where effective due diligence of third-party providers is found wanting.
Common weaknesses include organisations not conducting due diligence or considering practical BCP or DR solutions at all, for example by over-relying on their service provider’s assurances; or conducting / ordering desktop-only reviews of cyber and other operational risk management processes without actual site visits to confirm that the documented processes, people and systems are in place and fully operational.
In some cases, Mahendran noted that third-party service providers have presented misleading documentation regarding the existence of back-up systems in specific localities, a situation that is particularly challenging when disaster recovery plans are activated.
Speaking at the 10th Fund Summit in Sydney last month, Marian Azer, Managing Director at Milestone Group also highlighted a comparatively slower uptake in third-party scrutiny on the part of organisations in Australia compared to global organisations. “I’m only starting to see the tip of it in Australia to be honest. If we look at some of the queries and questions and dialogue that we are having with existing clients or our consulting community, they are starting to ask those questions around ‘How confident are you about your technology, your business and operational resiliency, and if I were to partner with you today what risks are you adding to my organisation?” She added that those are the bare minimum of questions that Milestone Group would ask of its own third-party service providers.
“It is really important when you are deciding to put new technology in, or if your partners put new technology in, that you ask the right questions and that you are informed. And if you don’t know, get the experts in to make sure that they are asking those questions. You have to make sure that you understand what risks they are bringing to your organisation, their contingency plans and what operational resilience looks like to them and that cannot just be a BCP test or tick box approach,” Azer said.
Introducing CPS 230
Third-party resilience is becoming a more acute priority with the introduction of CPS 230 Operational Risk Management, which is scheduled to come into effect in 2025. Among the key tenets of the 12-page document is a recognition that regulated entities will no longer be able to pass the buck to service providers in the event of a third-party operational risk failure.
Instead, from 1 July 2025, APRA-regulated entities will need to have an end-to-end view of operational risk, incorporating the same level of understanding of their most critical third- and fourth-party service providers as they do of their own internal operational vulnerabilities, along with plans to mitigate these risks.
As McCarthy Hockey put it: Those [third and fourth-party service] providers will need to be seen almost as a part of their own operation. An insurer may not be directly responsible for its website going offline when a network gateway fails, but it will be responsible for the outcome – which is the inability of customers to lodge claims or access other services.”
Anvij Saxena, Chief Risk Officer at Insignia Financial said the new regime requires a very different way of approaching risk. “Operational resilience under CPS 230 is an entirely new way of thinking. It’s not coming at it from a system-by-system perspective, it is actually an end-to-end process perspective about how we do business,” Saxena said.
CPS 230 – like most APRA regulation – is principles-based. It sets out a set of high-level regulatory expectations including that APRA-regulated entities must “effectively manage” operational risks; set and maintain “appropriate standards for conduct and compliance”; maintain critical operations within tolerance levels through severe disruptions; and manage the risks associated with the use of service providers among other things.
Proponents of that approach say that it forces organisations to truly think about the risks that matter to their businesses and tailor their risk management frameworks accordingly, without getting bogged down in red tape and compliance that may not be as relevant as it could be and, in the worst case, incentivises organisations to look for loopholes.
As Saxena put it: “It doesn’t go into the specifics of what an organisation’s critical processes are to be, it doesn’t go into the specifics of how it is to link with our risk frameworks. What it is saying, which is very intuitive, is that you have to understand what those processes are that matter most to us and to our customers, and we have to ensure that we are assessing the health of those and linking them back to our risk frameworks,” he said, adding that it was critical that those processes were embedded on an ongoing basis. “Resilience is like a muscle, you have to keep practicing it, it’s not something that is ever set and done,” Saxena said.
If executed as intended, that approach should result in risk frameworks that are well defined and suited to every individual’s particular risk profile.
Nick Potter, Head of Corporate Risk at QIC, which itself is not captured by CPS 230 but does look to align and conform as best practice, also pointed out that the intent is solid. “We absolutely agree with the concept of being able to show what your key risks and processes are, there is a benefit to everybody in being able to do that,” Potter said.
The downside of APRA’s approach to date is that it doesn’t provide organisations with a lot of clarity or examples of what “good” looks like. Compared to the UK’s Financial Conduct Authority (FCA) which has published a range of practical guides, case studies and reports outlining examples of plausible high risks to stress-test businesses and other examples of best practice risk management (see here for example); APRA’s guidance to date is light on detail.
“In my opinion, the regulation is very academic and it’s not particularly clear to those who are required to comply on exactly what the expectations are. Here’s a principle, but what does it mean?” Mahendran said, adding that the market would benefit from – at a minimum – some examples to see how other organisations are implementing the requirements.
QIC’s Potter also said that the challenge is in the interpretation and the implementation, particularly considering the fact that the regulation itself recognises that different organisations are at different levels of maturity and what works for one may not be suitable to another.
“The challenge is in the interpretation of the principles. It’s questions around how deep do you go? You can get yourself absolutely swamped in the process of identifying risks and controls and that can lead to a system that’s full of information that no one really cares about,” Potter said.
Some of that may come through industry cooperation and consultation. Some of it can be found at other regulators’ websites, but what is clear is that it is going to be on the industry to take CPS 230 seriously.
“In the past 12-18 months there has been a spate of very high-profile instances that have occurred across the industry that have shown practices to be wanting, so doing nothing is clearly not an option. […] As an industry it is really on us to demonstrate and prove that we can take a principles-based regulation like CPS 230 and deploy it in a way that doesn’t lead to future ‘own goals’,” Saxena said.