Insurers need an “entirely new mindset” to comply with CPS 230, the new prudential standard that takes effect today.

The reform aims to lift the operational resilience of Australian Prudential Regulation Authority-overseen businesses and their responses to business disruption.

Crucially, it also requires them to manage risks arising from materially important external service providers.  

For insurers, the standard means mitigating threats posed by underwriting agencies, brokers, claims management service providers and any third-party partners considered critical to the business.

Contracts with material service providers must meet requirements set out in CPS 230.

“Australians depend on banking to pay for goods and services, insurance helps us rebuild after a flood or fire … In an environment where one crashed server or ransomware attack could leave millions without access to these essential services, effective operational risk management is vital for financial stability and community wellbeing,” APRA member Therese McCarthy Hockey said.

“As well as identifying their own operational vulnerabilities and having plans to mitigate them, CPS 230 requires entities to have a detailed level of understanding and mitigation planning in relation to their most critical third-party service providers.

“This will require an entirely new mindset about where the boundaries of responsibility sit.”

APRA says operational resilience has grown more important in recent years as the financial system has become more interconnected and more dependent on digital technology and service providers.

The frequency and severity of cyberattacks have added to risks facing insurers and other APRA-regulated entities.

Ms McCarthy Hockey said: “It’s not that events won’t occur. We know that events may occur. It’s how quickly you can recover. Do you understand those vulnerabilities? How do you look at replacement processes and remediation and so on?

“It really is about this fast-moving environment that is just going to need ongoing vigilance and improvements processes.

“Importantly, when we think about this standard, it’s not just the processes and operations that they are responsible for directly, but it does relate to those of critical third party service providers, and that’s because as we look at material events that are coming through in certain instances … we are seeing an increasing role for third party service providers in those [incidents].”