The Australian Prudential Regulatory Authority (APRA) is the latest financial regulator to release proposed regulations regarding operation resilience[i], prompting me to collect my thoughts on how a Balbix-style cyber risk quantification (CRQ) solution could help meet these regulatory obligations.
A brief history
For those of you not familiar with financial services regulation, or the operational resilience requirements that have been emerging over recent years, here’s a brief history.
As ever, regulation tends to follow lived experience; where harm to customers or to the financial system has occurred and regulatory bodies find themselves needing to introduce requirements to protect consumers and the financial system. This was the case in 2017 where, on the back of a number of high-profile incidents – including Wannacry, and the Equifax leak – G20 finance ministers and central bank governors determined that cyber risk had the potential to disrupt the financial system on a supranational scale.
Furthermore, in the UK, it was determined that a number of major disruptions to customers were caused by poorly managed IT upgrade programmes at a number of high-street banks….
