APRA requires insurers to identify critical services under new CPS 230 rule

It also mandates enhanced oversight of third-party service providers.

The Australian Prudential Regulation Authority (APRA) has implemented a new cross-industry operational risk standard, CPS 230, requiring insurers and other financial institutions to strengthen their business continuity and third-party risk management frameworks starting 1 July.

Under CPS 230, APRA-regulated insurers must identify critical business services, assess their ability to function during severe disruptions, and conduct robust testing of business continuity plans. 

The standard also mandates enhanced oversight of third-party service providers, with entities required to map material service dependencies and outline mitigation strategies.

Recent geopolitical tensions and cyber threats have further highlighted these vulnerabilities.
CPS 230 also compels insurers to submit a list of their most material service providers, allowing APRA to monitor concentration risks across the sector.

Whilst the regulation takes effect immediately, APRA has given smaller and less complex insurers a 12-month extension for selected requirements.