CTPS 4.2 Requirement 1: Governance
1A critical third party must ensure that its governance arrangements promote the resilience of any systemic third party service it provides, including by:
- (1)
appointing one or more individuals who:
- (a)
are employees of the critical third party or members of its governing body; and
- (b)
possess the appropriate authority, knowledge, skills and experience,
to act as the central point of contact with the regulators in their capacity as authorities having oversight functions;
- (a)
- (2)
establishing clear roles and responsibilities at all levels of its staff who are essential to the delivery of a systemic third party service, with clear and well-understood channels for communicating and escalating issues and risks;
- (3)
establishing, overseeing and implementing an approach that covers the critical third party’s ability to prevent, respond and adapt to, as well as recover from, any CTP operational incident;
- (4)
implementing lessons learned from CTP operational incidents and any testing and exercising undertaken, including but not limited to that undertaken in accordance with CTPS 5 (Assurance, scenario testing and incident management playbook exercise);
- (5)
ensuring appropriate review and approval of any information provided to the regulators;
- (6)
notifying the regulators in writing of:
- (a)
the names of the individuals appointed under (1);
- (b)
the business address of those individuals; and
- (c)
the email address, telephone number and out of hours contact details for each of those individuals; and
- (a)
- (7)
notifying the regulators of any changes to the information notified under (6) as soon as is practicable.