Posts tagged March
APRA's Policy Priorities 2019

APRA has recently announced its priorities for 2019. Please see below excerpts that are relevant to the operational risk management and the business continuity practitioners. See here for the full report.

“Operational risk and related standards

APRA has commenced an important project to update its existing prudential standards and guidance on outsourcing, business continuity and information security, which apply to entities in the banking, insurance and superannuation industries. The objective of this initiative is to align prudential requirements with industry better practice and community expectations for a high degree of resilience to material operational risk incidents.

In conjunction with these more technical standards, APRA’s intention is to issue broad-based expectations for operational risk management and resilience that align to the overarching risk management framework. APRA will take the opportunity to streamline existing requirements where appropriate.

The first stage of this project, involving a new prudential standard on information security was finalised in late 2018, with the new standard to commence on 1 July 2019. APRA will consult on associated guidance on information security in the first half of 2019. Subsequently, requirements for operational risk management and revised standards for business continuity and outsourcing (updated to cover service provision more broadly) will be the focus of consultation over the course of 2019.”

Our reading of the tea leaves is that there could well be considerable changes to the way APRA regulates the Australian finance market in the near term. The outcome of the Hayne Royal Commission and the looming risks from climate change means that it is likely that over the next twelve months our business continuity plans may need to be thoroughly reviewed.

Banking regulator warns major cyber breaches are 'probably inevitable' | SMH

Cybercrime is a growing industry and the finance sector is regarded a key target. Despite the growing threat and inevitability of an attack, APRA says there are still financial institutions that have not tested how they would cope with a cyber attack. 

In response to the growing threat of a cyber attack, APRA on Wednesday released its first prudential standard on information security (still in draft format), which will set minimum standards for how the sector handles cyber risks.

Institutions will be required to undertake regular testing of their cyber defences, have robust systems in place to detect threats, and set out which senior staff are responsible for cyber security. The discussion paper can be found here.

"Implementing legally binding minimum standards on information security is aimed at increasing the safety of the data Australians entrust to their financial institutions and enhance overall system stability," Mr Summerhayes said.

Unprepared for data breach notification laws? Here's what you need to do if things go wrong | AFR

Experts are reporting that thousands of Australian businesses aren't ready to comply with the data breach mandatory notification law that kicked in from February 22. Research by cyber security specialists CyberArk concluded that as many as 44 per cent of enterprises aren't up to speed, and other security professionals are queuing up to echo the sentiment.

The new law is simple enough in principle. It's compliance in practice that will cause headaches.

If your organisation is covered by the Privacy Act, and you have other people's personal information in your care, and it ends up somewhere or with someone it shouldn't, there's a clock ticking.

The Amazon Web Services outage: business continuity implications and actions | Continuity Central

On Feb 28th 2017 a four-hour outage impacted one of Amazon Web Services’ (AWS) largest cloud regions, US-EAST-1 in North America. Since many enterprises rely on AWS this outage, many times longer than the expected annual downtime for the S3 cloud storage system where the issue occurred, is highly concerning and requires a rapid review by business continuity managers.

The outage, caused by high error rates affecting the Amazon Simple Storage Service (Amazon S3), commenced at 12:35 pm ET and was fully restored by 4:49 pm ET, according to AWS. Amazon S3 is ‘object storage with a simple web service interface to store and retrieve any amount of data from anywhere on the web’ says AWS. It is marketed as being ‘designed to deliver 99.999999999% durability’; a claim which is now clearly questionable!

The lessons from this incident need to be learned; and Continuity Central would like to invite the views of business continuity professionals. To do this they have set up a quick Survey Monkey survey: please take part here, it will only take a few minutes.