Summary
As ransomware threats escalate and new regulatory requirements come into effect, strengthening operational resilience will be an ever-greater focus for financial services firms in APAC and across the globe.
Across the globe, regulators and business leaders in financial services are increasingly paying attention to the area of operational resilience (OR). The growing complexity and interconnectedness of the financial services ecosystem combined with an escalation in ransomware and other cyber risks is leading to an ever-greater emphasis on the need for robust and comprehensive operational practices and regulations.
While the EU has blazed a trail with the promulgation of the Digital Operational Resilience Act (DORA) (as highlighted in our recent blog “5 Key Takeaways from the EU’s Digital Operational Resilience Act – DORA”), operational resilience is a key focus for regulators in the Asia-Pacific (APAC) region as well.
As examples, we’ll look at steps Singapore, Hong Kong, and Australia have taken in recent years that illuminate how operational resilience is going to impact the financial services enterprise of the future in APAC and beyond.
Operational Resilience Requirements in Asia-Pacific
Examples from Singapore, Hong Kong, and Australia
Across APAC, regulators have been active over the past several years in crafting and implementing new regulations for operational resilience. Singapore, Hong Kong, and Australia present particularly good examples, but no jurisdiction is ignoring this area. Some of the highlights include:
Singapore
The Monetary Authority of Singapore (MAS) has long been proactive when it comes to operational resilience, first introducing business continuity guidelines in 2003 and continuing to expand and refine its approach. Revised guidelines now include operational resilience and financial institutions are “on the clock” to come into compliance. A plan to meet the regulatory requirements as well as an audit regime were required by June 2023 and a first audit must be completed by June 2024.
To comply, a financial institution must adopt a holistic view of critical processes as well as dependencies with third-party vendors and partners for the delivery of critical business services. Concepts like service recovery time objectives (SRTOs) are mandated and regulations recognize that recovery plans must prioritize the order in which functions are restored in the event of a protracted and staged recovery process.
Hong Kong
The Hong Kong Monetary Authority (HKMA) issued a circular on operational resilience, OR-2 Supervisory Policy Manual, in May 2022, which aligns with Bank for International Settlements (BIS) standards issued in 2021. The first implementation phase of the new regulation ended in May 2023 and required that an operational resilience framework be completed along with a timeline for full compliance. The second phase stretches until May 2026, at which time financial institutions are required to be fully functional with their operational resilience plans.
OR-2 requires institutions “to conduct scenario testing for severe but plausible events, establish more comprehensive risk management policies and frameworks specific to the critical business operations identified, and to implement robust incident management programs—the requirements for which go over and above existing business continuity planning and operational risk management frameworks.” Financial firms will be required to demonstrate these capabilities through plans, testing, and reports.
Australia
The Australian Prudential Regulation Authority (APRA) released CPS 230 – Operational Risk Management for consultation in July 2022. In tandem with CPS 234 – Information Security, CPS 230 will form APRA’s revised operational resilience framework. The new standard was finalized in July 2023 and comes fully into effect as of July 1, 2025.
The aim of CPS 230 “is to ensure that an APRA-regulated entity is resilient to operational risks and disruptions. An APRA-regulated entity must effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers.” This includes an emphasis on responsibility at the board and senior management level, standards for performance levels in critical operations with a focus on customers and outcomes, and, similar to DORA in the EU, greater oversight of partners and critical service providers that can extend as far as fifth parties.
In all respects, it makes sense to pay attention to the form and substance of new regulation for all of these regions because what now applies to one is likely to soon apply to most, if not all, regulatory regimes. Operational resilience is an area where regulators across the financial industry will eventually require compliance. It will pay to be proactive and prepared when it comes to best practices for operational resilience.
What’s Needed for Readiness
As regulators across the Asia-Pacific region look to implement measures to address the principles of the BCBS’ revised Principles on Operational Resilience and the 2021 Revisions to the Principles for the Sound Management of Operational Risk, financial firms must be prepared to address the new mandates.
Data is the foundation: The enormous challenge of adapting to these new global compliance regimes comes down to data. Data is not only the primary target for threats but also the backbone for ensuring resilience, particularly in managing risks related to information and communication technology (ICT). The governance, access, management, and protection of data must be central to planning.
An inclusive approach to the new regulatory landscape: The recent wave of OR regulations introduces a wide range of new requirements, making it essential to involve more parts of the business in efforts to boost resilience. It’s a good idea to start with a fresh perspective and new metrics when looking at what the future holds, and then create a comprehensive strategy and processes that bring all the relevant parties on board, especially focusing on areas that are newly affected.
Cybersecurity is at the heart of resilience: Cybersecurity is key in a push for greater resilience, with a special focus on being proactive against ransomware threats and ensuring incidents are reported quickly and in detail. Firms need to have strategies in place that keep critical operations running smoothly and enable visibility of data flows and essential processes to spot anomalies and stop cyber threats more effectively.
Operational Resilience Resources from Pure Storage
From major financial centers in APAC to the EU and UK and on to the United States, operational resilience obligations for the financial services enterprise are developing quickly and changing the way the industry manages risk. Responsibilities and requirements can be expected to increase for the next several years, and in the future, financial services firms will be required to have and maintain strict operational resilience programs no matter where they operate.
Leveraging the expertise of Pure Storage and other partners, financial services firms can manage the intricacies of operational resilience regulations in APAC, steering toward a more secure and resilient future. Pure Storage solutions support operational resilience by design. An all-flash configuration provides unparalleled speed, simplicity, and flexibility. And with built-in data protection capabilities, such as SafeMode™, Rapid Restore, and Pure1® Data Protection Assessment, as well as a ransomware recovery SLA with Evergreen//One™ and a Zero Data Loss Guarantee with Evergreen//Forever™ and Evergreen//Flex™, financial firms can rest assured that they’re equipped for quick recovery in the event of unforeseen incidents.
To learn more, download our white paper, “Strengthening Operational Resilience in Financial Services,” or contact us for a free expert consultation.
Maximize Operational Resilience
Learn best practices to empower your efforts.