Starting next year, APRA will be asking boards to engage an external auditor to comprehensively review their compliance with CPS 234 on information security.
APRA has announced a new Cyber Security Strategy for 2020 to 2024, aimed at lifting cybersecurity standards and introducing heightened accountability where companies fail to meet the requirements.
The new Cyber Security Strategy is designed to complement Australia’s Cyber Security Strategy 2020, released in August, and builds on existing prudential requirements including those under CPS 234 on information security, which came into force in July 2019.
“Our mission is to make a step change in Australia’s financial system cyber resilience. Our vision is for a financial system that can stand firm against cyber-attacks,” said APRA Executive Board Member Geoff Summerhayes in an industry forum on Thursday (26 November).
Last November, Summerhayes indicated that APRA had plans to take a tougher approach to ensure financial firms remained resilient to cyber threats, including through additional guidance on service provider management, among other measures.
To date, no APRA-regulated bank, insurer or superannuation fund has suffered a material cyber breach. However, the regulator is concerned that it is only a matter of time until a major incident occurs.
“Although the financial industry takes cyber risk seriously, there is room for improvement,” Summerhayes said. “For example, too many boards still lack visibility or understanding of the problems, while internal audit functions can lack the specialist skills to challenge boards and management to plug urgent gaps.”
The new Cyber Security Strategy will extend APRA’s reach beyond the 680 regulated entities it supervises to influence the broader ecosystem of suppliers and providers they rely upon. “In an environment where an attack on one of us could be an attack on any of us, our financial system is only as resilient to cyber attacks as the weakest link in the chain,” Summerhayes said.
APRA will apply a broader set of regulatory tools and techniques to cyber, acting in concert with peer regulators and other government agencies, and imposing greater accountability on entities that fail to adequately comply with their prudential obligations, he added.
The Strategy comprises three primary focus areas:
- establishing a baseline of cyber controls by reinforcing the embedding of non-negotiable cyber practices, facilitating better sharing of cyber information and enabling more effective incident response processes
- enabling board members, internal auditors and risk management professionals to be better equipped to handle cyber exposures, by formulating sound practice guidance, and stepping up APRA’s scrutiny of cyber oversight practices
- rectifying weak links within the broader financial ecosystem and supply chain, by fostering stronger third-party provider assessment and assurance practices, and harmonising cyber regulation and supervision across the financial system – encompassing fund managers, payment platforms, and software vendors, among others
To successfully implement the new strategy, APRA plans to evolve and strengthen its regulatory and supervisory approach to cyber risk, through the use of innovative tools and techniques. In particular, it will collect more data to help it better understand the cyber threat, and share this knowledge to enable industry self-assessment and benchmarking.
APRA is also looking at partnering with academia to research issues such as measuring and benchmarking cyber resilience, and exploring more formal threat intelligence sharing among domestic and international regulators to better inform its activities.
“We are also going to take a much more targeted approach to ensuring CPS 234 is being fully complied with, and holding boards and management accountable where it is not,” Summerhayes added.
He said that most financial sector entities provided “generally positive” accounts of their compliance with CPS 234 at the end of last year. However, APRA’s IT Risk specialist team discovered “significant weaknesses in every instance”, including in areas such as testing programmes, control environments and incident response capabilities.
In response, APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board. A decision has not yet been made as to which entities will have to undergo such an audit, but Summerhayes said “all entities should prepare accordingly”. The initiative is due to start next year.
“Where gaps are sufficiently material, we will consider forcing entities to issue a breach notice and create a rectification plan. If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action.”