APRA Member Therese McCarthy Hockey - GRC2023

From fires to firewalls: The evolution of operational risk

Good morning and thank you for the invitation to speak to you today.

A little over a month ago, APRA released a new prudential standard focused on strengthening the management of operational risk by banks, insurers and superannuation trustees. Its purpose is to build heightened capability to proactively manage the risks that arise from operating a business, including risks that may compromise their ability to provide services to the customers who depend on them: to pay for essential goods and services; to rebuild their home after a bushfire; to fund vital medical treatment; or to maintain a dignified lifestyle in retirement.

The concept of operational resilience isn’t a new one, however the nature of the risks has evolved over time as the financial sector and customers have become ever more reliant on innovation and digital technology. In one my favourite films, the 1995 crime drama Heat, Robert De Niro leads a gang of ruthless bank robbers, while a world-weary detective played by Al Pacino tries to hunt him down. One of the movie’s most memorable scenes sees the gang get into a deadly shootout with police during an attempted bank heist. It makes for spectacular viewing, but 27 years later, criminals can steal much more money – with far less risk – from behind a computer screen on the other side of the world. For that reason, the most widespread threats to business continuity today are less to do with breaking into safes and more to do with breaking into servers; less about office fires than breached firewalls; more likely to stem from floods of phishing emails than a flooded warehouse. In an environment where one crashed server or ransomware attack can leave potentially millions of Australians without access to funds, the ability to mitigate operational risks is essential for financial stability and community well-being. 

Innovation brings opportunities but also risks. Risk mitigation, however, can lag behind the innovation that created it on the basis that people have a bias to optimism. History shows that real events can be much worse than anticipated and mitigations can fall short. We saw this at the start of the pandemic as businesses scrambled to put their pandemic plans into effect by moving to fully remote working. On the whole, this was done successfully and almost seamlessly, keeping people in jobs and the economy growing. But the rush to implement new ways of working also created unforeseen problems, especially around IT security and network capacity, that had to be rectified after the fact. 

The challenge we’re now seeing with operational resilience is that not only is the speed of technology and innovation threatening to outpace the ability of businesses to keep up with the risks, but the threat landscape itself is accelerating too. Countering this will take significant time and investment and – importantly – a new mindset to ensure sustainability of practice. By setting a target for entities to aim at and a firm date by which to hit it, our new cross-industry prudential standard CPS 230 is designed to light a fire under our regulated entities so they act with the heightened urgency this issue requires.

A burning issue

APRA only began consulting on CPS 230 last July, and yet the operational risk environment has already shifted substantially in that short time. (For those not familiar with APRA-speak, CPS stands for “cross-industry prudential standard”.)  

Twelve months ago, APRA still talked about it being a case of “when” rather than “if” one of our regulated entities suffered a major cyber breach. We’ve now had several. The impact of these attacks was felt by many and put information security front of mind for more than just board directors but Australian consumers too. The frustration felt by those who had had their passport or other personal information exfiltrated by these cyber criminals, combined with the burden of having to replace documents, is something we all became quickly familiar with. 

The scourge of scams has dramatically worsened as it was revealed Australians lost $3.1 billion in 2022¹  – up 80 per cent on the previous year – resulting in heightened scrutiny on the role of banks in facilitating these transactions. Although our peers at the Australian Competition and Consumer Commission and Australian Securities and Investments Commission remain the lead agencies in tackling scams, the Council of Financial Regulator agencies are all working together to do what we can. We at APRA stepped up by writing to entities about the importance of multi-factor authentication to combat the risk of cyber-attacks and fraud. 

Consistent with trends across the globe, Australia saw a drop in the quantum of money as the amount of physical cash in the economy shrunk for the first time since the conversion to decimal currency. Consumers are marching with their feet – or rather, not marching – but “tap and go”-ing. A Reserve Bank report found only 13 per cent of transactions in 2022 were made in cash, with older Australians abandoning notes and coins at the fastest rate². 

Potentially the most seismic change is the advancement of generative artificial intelligence (AI), which the Chair of the US Securities and Investments Exchange Gary Gensler forecasts will become “the most transformative technology of our time, on par with the internet and mass production of automobiles”³. Like any innovation, generative AI will bring benefits and risks, and we don’t yet know what they will be. For this reason, financial regulators globally are beginning to consider the implications for financial stability. When APRA’s latest Corporate Plan is released next week, you will note that AI is on our radar too. As when cryptocurrency emerged on the scene, our initial guidance to industry will be to tread carefully when using these advanced AI technologies: conduct due diligence, put appropriate monitoring in place, test the board’s risk appetite and ensure there is also adequate board oversight.

All of these developments have a few things in common. The obvious one is the connection to technological innovation. The second is that these innovations rely on the successful integration of multiple technologies provided by a range of financial system players: the banks, insurers and super funds themselves, the cloud, payments providers, telcos and big tech companies. A failure at any point in the chain has the potential to break down services to the entire system – with system latency and backups being ever more important. And as customers become increasingly dependent on digital services for their financial needs, any breakages have become more consequential for financial stability and community welfare. 

Turning up the heat

The scale of the transformative challenge becomes apparent when we look at financial industry progress in meeting APRA’s prudential standard on information security, CPS 234.The standard, which sits alongside CPS 230 under the umbrella of operational resilience, came into force in 2019. Yet recent analysis from the first tranche of  independent assessments against the information security standard reveals many banks, insurers and superannuation trustees are still struggling to meet their minimum requirements. 
Given that cyber-risk is at or near the top of every corporate risk register today and has been for several years, the obvious question is “why?”.

There is a range of answers: the evolving nature of cyber threats means organisations are constantly firing at moving targets; increasing reliance on multiple outsourced service providers creates complex webs of interconnectivity, which makes oversight harder; furthermore, we know that many of our entities have laboured to migrate legacy systems to new, more secure platforms.

APRA has also observed a long period of insufficient investment in both cyber security technology and personnel with the necessary skills and experience, especially among smaller organisations that lack the deep pockets of the industry giants. But if we were to identify a root cause it would be that information security has too often been seen by boards as a technology risk and not an overall business risk. Rather than leaving cyber resilience to the IT and cyber-security departments, boards need to become much more tech savvy and alert to how the threats have changed, in particular for the data they collect and manage. Boards need to provide stronger oversight of these “crown jewels” in order to address threats as they emerge with the expediency they deserve.

Understanding these reasons is not the same as accepting them, and APRA is rapidly running out of patience with the slow pace of uplift. Three years after CPS 234 was implemented, and with the backdrop of a growing list of cyber incidents, entities should expect to see APRA taking strong action. Where an entity is found to be significantly wanting in its compliance with our information security requirements, additional capital requirements of the kind imposed on Medibank may well be a likely outcome.

Sparking action

Given the close connection between information security and operational risk, we’re conscious of the potential for the same types of compliance gaps we’ve seen on cyber to emerge with our newest standard. As a result, we’ve not only designed a prudential standard that lifts industry practices on operational risk management but also an implementation schedule to ensure entities are not still playing catch-up several years down the track.

To start with, CPS 230 sets a firm deadline of 1 July 2025 for compliance. The two-year runway is longer than might normally be the case for a new APRA prudential standard and follows appeals from industry for more time to prepare. But APRA won’t be waiting for the implementation date to examine industry readiness. We will be assessing entities’ preparedness for the new standard throughout 2024, starting in less than six months. Prudent boards should not be waiting until the new year to start thinking about how to meet their new commitments. They need to move now.

With the clock now ticking, we expect boards to focus on three key actions:

1. Putting the right governance arrangements in place;
2. Identifying critical operations and material service providers; and
3. Beginning to develop a new organisational mindset.

With regards to governance, we expect boards to ensure robust governance over the change management process to successfully implement the requirements of the standard. This would typically be supported by a formal change management plan that includes key milestones correlating to the requirements of the standard. Boards and management also need to start planning how they are going to ensure they have the resources to meet the new requirements. This includes financial capacity, but also potentially ensuring they have enough people with the right skills and expertise. 

When it comes to critical operations and material service providers, we expect entities to have identified these by the middle of next year and be well positioned to set tolerance levels by the end of 2024. We also expect entities to perform detailed gap analysis against the requirements - identifying areas of challenge to implementation and putting in place actions to resolve these challenges. The goal here is to ensure any concerns are flagged early, and course corrections made. 

Above all, entities must build a new mindset about where their boundaries of responsibility sit. Perhaps the most significant change introduced by our new standard is the requirement for an end-to-end view of operational risk, with a focus on critical operations, including those performed by third and fourth parties. APRA-regulated entities will no longer need to simply be aware of their own internal operational vulnerabilities and have plans to mitigate them. From 1 July 2025, they must have the same level of understanding of their most critical third-party service providers – as well as their most critical fourth-party service providers. Those providers will need to be seen almost as a part of their own operation. An insurer may not be directly responsible for its website going offline when a network gateway fails, but it will be responsible for the outcome – which is the inability of customers to lodge claims or access other services.

Through this transition phase, when APRA engages with entities on CPS 230 readiness (and we will!) governance will be front and centre.  Entities can expect us to ask about:

• the outcomes of any gap analysis undertaken by them or their external assurance provider;  
• the progress made against the change management or transition plan for compliance against the new standard;  
• their plan for demonstrating compliance against operational risk, business continuity management and service provision elements as well as any key challenges or blockers to this; and
• any lessons learned in the process to date.

An uncomfortable truth is that embedding this kind of step-change in operational resilience management will be harder for some entities than others. If our experience with cyber is a guide, it’s typically smaller entities that find it most challenging to budget for constant IT upgrades, new systems and the need to hire additional, highly skilled employees. APRA is aware of instances where entities have recognised that they simply don’t have the size or financial heft to do this on their own and have looked for merger partners. To assist the smaller end of town, APRA has indicated that it does not expect an identical approach to resilience activities at all entities, but rather expects to see each entity applying the standard in a way that is commensurate with the size, business mix and complexity of its operations. 

This brings to me to another issue being raised, especially by smaller entities – the desire for regularly updated guidance on APRA's expectations in a fast-evolving external environment. Our principles-based prudential standard has been designed to support the ongoing changes in the external environment, especially in the technological arena where there will be risks emerging that have not yet been contemplated. Due to this, set-in-stone guidance doesn’t always make sense as it can be out of date almost as quickly as it’s developed.  But APRA has listened, and in response we are looking at how we can provide timely insights on current practice and what uplift is needed less formally. Our insights into the themes from the independent information security exercise is a good example of how we intend to provide fresh insights and transparency to help regulated entities respond.

Formal prudential guidance does have a place though.  As part of our consultation for the prudential guidance that will accompany CPS 230, we are asking entities to tell us what information would assist them to successfully implement the new standard. It is important that entities take the opportunity to do this prior to 13 October to ensure that all relevant feedback is included.

Ignition time

Technological innovation in finance has delivered tremendous benefits for businesses and customers, such as increased convenience, greater efficiencies and lower costs. But each advance also creates vulnerabilities, as anyone who’s fallen prey to an online scammer could attest. A realistic film about bank robbers in 2023 would probably be less like Heat and more of a cross between The Social Network, Hackers – and maybe even sci-fi classics like the Matrix or Tron!

With the benefit of hindsight, many operational risk failures might well have been prevented, hence the importance of focus in this area. Embedding an entirely new way of thinking about operational risk across an entire business operation will not be easy. Identifying compliance gaps and critical risk functions across third and fourth parties will not be quick. Upgrading systems and recruiting people with the requisite skills will come at a cost. But these enhancements are also not optional – not because it’s what APRA demands but because being protected from harm is an outcome that the community has come to reasonably expect.

APRA has delivered a longer than usual implementation period for our new standard on operational resilience given the scale of the change – now it’s up to banks, insurers and super trustees to deliver on the new requirements. Should they fail to do so, don’t be surprised to see APRA apply a little heat of its own.
 

Footnotes

[1] ACCC calls for united front as scammers steal over $3bn from Australians | ACCC

[2] Consumer Payment Behaviour in Australia | Bulletin – June 2023 | RBA

[3] SEC.gov | “Isaac Newton to AI” Remarks before the National Press Club