Publication
US/Ukraine minerals deal: Digging into the detail
The United States and Ukraine governments have announced the signature of an agreement of a minerals deal for Ukraine.
Australia | Publication | November 2023
The Australian Prudential Regulation Authority (APRA) has finalised Prudential Standard CPS 230 (Operational Risk Management) (CPS 230) following a year-long industry consultation. The new prudential standard commences on 1 July 2025 and applies to all APRA-regulated entities, encompassing banks, insurers (general, life and health) and registrable superannuation entity licensees. This article focuses on the implications for insurers.
CPS 230 is a new prudential standard aimed at ensuring that APRA regulated entities are resilient to operational risks and disruptions and that such risks are appropriately managed. APRA wants to ensure that entities:
Upon commencement, CPS 230 will replace CPS 231 (Outsourcing) and CPS 232 (Business Continuity Management), including their equivalents for superannuation (SPS 231 and SPS 232) and health insurance (HPS 231).
Operational risk is a key focus area for regulators globally. In the European Union, the Digital Operational Resilience Act (DORA) has been enacted for similar purposes, and the UK also has recently introduced an operational resilience regime for insurers (read more below). CPS 230 will require insurers to make significant changes to their governance and compliance frameworks, as well as contracting arrangements.
The board of an insurer is ultimately accountable for oversight of operational risk management, business continuity and management of service provider arrangements. It must also ensure that the regulated-entity sets clear roles and responsibilities for senior managers for managing operational risks.
The board must also:
Senior management are required to manage all operational risks (including legal, regulatory, conduct or technology risks) for all business operations. Specifically, insurers must:
Insurers are also required to take steps to minimise the likelihood and impact of disruptions to critical operations. In doing so, insurers are required to identify all critical operations and ensure they are provided within set ‘tolerance levels’. Insurers must establish tolerance levels establishing the maximum duration of disruption, data loss and minimum service levels for alternative arrangements that the insurer will accept. Insurers are required to notify APRA as soon as posible (and in any event within 24 hours).
Insurers are also required to maintain a business continuity plan that details how it will maintain its critical operations during a disruption.
A ‘critical operation’ is a process undertaken by the insurer or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on policyholders or other customers. Insurers must at a minimum classify claims processing and customer enquiries, together with systems and infrastructure needed to support these functions, as critical operations.
CPS 230 requires all insurers to ensure that the risks associated with ‘material service providers’ are effectively managed. To do so, an entity must identify all its material service providers and manage the risks arising out of such arrangements. This is likely to be an extensive exercise, particularly since service providers may now also encompass insurance broker distribution arrangements. It will also require insurers to manage risks associated with ‘fourth parties’, being parties that material service providers rely on to deliver a critical operation to the insurer.
A ’material service provider’ is a provider on which the entity relies on to undertake a critical operation or that exposes the insurer to material operational risk. Insurers must at a minimum classify underwriting, claims management, insurance brokerage and reinsurance as material service providers unless the insurer can justify otherwise.
Insurers must submit a register of material service providers to APRA annually. CPS 230 also provides that specific things that must be done before entering an agreement with a material service provider or materially altering an existing arrangement (eg. due diligence and assessing the risks that could arise from reliance on a service provider).
While CPS 230 does not commence until 1 July 2025, preparation will involve significant changes to insurers’ internal operations and frameworks. Accordingly, insurers should start preparing now. APRA has set out a pro-active implementation timeline in its Response Paper, setting outs its expectation for insurers to identify material service providers and critical operations by mid 2024.
Where there are existing contractual arrangements in place with service providers, CPS 230 will apply from the earlier of the next renewal date or 1 July 2026.
APRA has also published a draft Prudential Practice Guide. Consultation has now closed and industry is now awaiting APRA’s finalised guidance.
Timeline by APRA1
In the UK, an operational resilience regime for insurers began to apply on 31 March 2022 (alongside an equivalent regime for banks), following a one-year implementation period. The EU’s DORA, which will take effect in January 2025, also introduces similar requirements, although it applies more broadly to several other sectors in addition to insurance and focusses specifically on IT services rather than encompassing other ‘critical’ services.
There are some useful lessons learned from firms’ experiences so far of implementing the UK regime that could be helpful when preparing for CPS 230. One such learning is the importance of identifying the key service provider – this requires a firm to fully understand its own business dependencies and can in some cases be less obvious than the firm might expect. Operational resilience will also need to be considered holistically, with all relevant stakeholders and skill sets being considered – for example, there will be important roles for legal, compliance, risk management, procurement, IT and the business itself.
In addition, firms should note that operational resilience may need to be approached on a group basis. Many insurance companies are within corporate groups where services may be procured centrally or via an affiliate (often with chains of contracts which add an extra layer of complexity), policies may be defined at group level, and groups may seek to try to apply a common standard or at least to approach local requirements in a standardised way. Whilst this is not easy to navigate, there are ways of achieving it, to a certain extent at least.
To prepare, insurers could consider:
Implementation of CPS 230 will be a significant exercise and also overlap with the implementation of the Financial Accountability Regime (see our article). Insurers should take the opportunity to review governance frameworks and operating models holistically to ensure they are prepared for the future.
Publication
The United States and Ukraine governments have announced the signature of an agreement of a minerals deal for Ukraine.
Publication
On 15 April 2025, Ofgem approved the National Energy System Operator’s (NESO) Target Model Option 4 (TMO4+) package of reforms.
Publication
In mid-March 2025, Cognia Law and Norton Rose Fulbright’s Legal Operations Consulting team co-hosted a second roundtable event that brought together senior leaders, including GCs, COO and head of legal operations, from across the legal industry to discuss how to drive meaningful change within the legal ecosystem.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2025