APRA turns focus to big tech concentration risk

The Australian Prudential Regulation Authority (APRA) has warned superannuation funds, banks and insurers about concentration risk with respect to third party technology service providers.

The regulator has required all its regulated entities to submit a list of their material service providers and intends to identify where particular concentration risk exists.

At the same time it has raised the issue of cloud storage and data risk, including with the implementation of artificial intelligence.

APRA Member, Suzanne Smith told a forum yesterday that while the regulator expects regulated entities to invest appropriately in modernising their technology platforms, it is conscious of the dangers of concentration risk.

She said that across banking, insurance and superannuation, critical operation delivery often hinges on a concentrated set of technology vendors noting hat “if one of these technology providers fails, even temporarily, they can potentially take down every company relying on their services”.

“To better understand this risk, APRA asked all its regulated entities to submit a list of their material service providers by the beginning of this month. We have now begun analysing the data to develop a financial system-wide view of entities’ reliance on third party service providers and where particular concentration risks may lie,” Smith said.

“As finance, telecommunications, emerging technologies, and platforms increasingly converge, APRA will continue to engage with Government and regulatory peers as the Critical Infrastructure reforms evolve further. Our focus will remain on shaping sector-wide incident playbooks; improving information sharing; and participating in exercises that test industry coordination with government regulatory agencies including the Council of Financial Regulators.”

She said entities should be undertaking their own work independently to address third-party and concentration risk.

“This includes undertaking service interdependency mapping and credible scenario testing involving both complete failures and ‘degraded-mode’ operations. These need to be routine and broadly-visible – not ‘once and done’,” Smith said.

“Auditors should look for scenario design that includes multi-entity, multi vendor failures, and for clear customer outcome metrics when operating in contingency modes. Your checks need to go beyond checking documents to properly validating whether tolerance levels, mapping, and testing, truly capture real points of failure across first, second, third, and further, parties,” she said.