Australia’s banks, insurers have three years to renegotiate cloud and IT contracts
Banks, insurers and superannuation trustees have until mid-2025 to comply with new system resiliency and business continuity standards, and up to an extra year to have them reflected in certain outsourced IT and cloud contracts.
The requirements come under a new prudential standard called CPS 230 for “operational risk management” that the Australian Prudential Regulation Authority (APRA) proposed last year.
APRA had intended to enforce CPS 230 from January 2024, but has now pushed the start date back to July 1, 2025.
A further transition period of up to a year is being offered in which to “renegotiate contracts with existing service providers (if required)”, though APRA said “contracts with material service providers should be updated as soon as possible given their importance to critical operations and operational risk.”
A key feature of CPS 230 is that it sets some standards for how quickly a bank or other entity needs to inform regulators when it kicks in various incident response mechanisms.
The entity has no more than 72 hours to inform APRA of an incident that is “likely” to have financial or operational repercussions, and no more than 24 hours to disclose if business continuity plans (BCP) have been activated.
APRA must also be notified prior to “any offshoring agreement” or change to one, and then after an offshoring agreement is entered into or altered.
While parts of the industry sought extra time, APRA declined extensions.
“Notifications are a vital mechanism to ensure necessary information is communicated to APRA expeditiously,” it said in a response paper.
“The notification requirements are not intended to divert an entity from managing an incident or to impose undue burden.
“As well as ensuring that APRA is kept appropriately informed, notifications allow APRA to respond or assist as necessary, including considering any potential system-wide implications.”
APRA did clarify that notification around BCP is only necessary where there is “disruption to a critical operation outside tolerance”.
Regulated entities must define their tolerance levels, based on how long they’d tolerate a disruption, how much data loss they’d accept “as a result of a disruption”, and what minimum level of standards they could source from elsewhere as a backup, according to the text of the standard. [pdf]
Where the incident is cyber security-related, and notification requirements comes under a different prudential standard – CPS 234, APRA only needs to see a notification once.
CPS 234 deals with information security, and is about the financial sector securing their data assets and reporting any breaches.
CPS 230 captures a broader range of potential technology-related outages and incidents. It also imposes specific rules around BCP and outsourcing, including fourth-party risk – suppliers of suppliers.
The new standard supersedes a number of existing ones, including CPS 231 and SPS 231 covering outsourcing, along wih CPS 232 and SPS 232 covering business continuity.
Eye on disruption
APRA chair John Lonsdale said disruptions to financial services – including those that are technology-related – “can cause a major detrimental impact to the people who rely on them to pay bills, recover from financial loss or support themselves in retirement.”
“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches,” Lonsdale said in a statement.
“This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.”
Lonsdale added that while there is now a sizable gap until CPS 230 comes into force, he expected entities “to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements.”
Cloud provider concerns centre on contractual over-reach
Among a raft of documentation released to coincide with the standard’s approval is the industry submissions to APRA’s consultation.
Unsurprisingly, a large number of cloud services providers are represented, including AWS, Microsoft, Google Cloud and Salesforce.
Under CPS 230 they face extra scrutiny on a number of fronts: from architecture and geographical location of servers and services, to the terms of service agreements.
Several providers, including Salesforce and AWS, took issue with requirements for financial institutions to specifically assess geographic location and service concentration risks – but were unsuccessful in having them excluded.
The requirements must be considered when entering into a new agreement or when “materially modifying” an existing one.
“APRA-regulated entities might interpret both the requirement to assess risks associated with the geographic location or concentration of service providers, and the more onerous notification requirements for offshoring arrangements, as encouraging them to avoid or be wary of storing data offshore or of using hyper-scale cloud providers, international service providers, or only a single cloud provider,” AWS said.
Salesforce warned the geographic considerations could also narrow down the number of services that financial firms could avail themselves of, since not all new and emerging services start out being hosted locally.
“Requiring risk assessments based on the service provider’s ‘geographic location’ also restricts the number of products available for use by APRA-regulated entities,” Salesforce said.
Both suggested – unsuccessfully – that providers should be judged on security and resiliency, instead of location and service concentration risks.
Creating CPS 230-compliant contracts is also a major concern.
CPS 230 contains clauses that, among other things, require contracts to allow APRA “the right to conduct an onsite visit” to a service provider engaged by a bank or other entity.
AWS said that needed to be clarified; Salesforce went further, stating customers may currently contact it “to request an onsite audit of Salesforce’s processing activities in specific circumstances”, but no blanket right of access is offered, especially for a party that isn’t the customer.
Microsoft, meanwhile, noted that IT contracts could be complex, and have a number of component parts and interrelated services where individual re-assessment and renegotiation could be time-consuming.
APRA to update cloud guidance
In its response paper, APRA said that 2018 guidance it released around “outsourcing involving cloud services” remains in force.
However, the guidance will be revisited and may change in light of CPS 230.
“APRA will, at an appropriate future time, undertake a full review of the cloud information paper,” it said.
“In the interim, regulated entities should continue to have regard to the practices and key principles outlined in the cloud information paper when entering into or making changes to cloud computing arrangements and continue to engage with APRA on the use of cloud.”
About Author
