APRA pulls data submission system after security pentest

The Australian Prudential Regulation Authority (APRA) has quickly decommissioned its data submission system for entities, following a routine penetration security test on March 19 this year.

APRA said the test identified unnamed vulnerabilities, and the legacy system was taken offline the following day on Friday March 20.

Known as Direct To APRA (D2A), the system was scheduled for a replacement by end of 2027, the authority's senior data collection manager Michael Murphy said at a presentation in February this year. 

D2A was nearing its end-of-life in 2018, with APRA discussing a migration from the Java-based Oracle application that required banks, insurers and superannuation firms to submit extensible markup language (XML) or extensible business reporting language (XBRL) files, use manual data entry.

The regulator is now accelerating the move to a web-based submissions platform that adds the Microsoft Excel file format while dropping XBRL, known as APRA Connect.

Following the security alert, APRA also advised organisations to immediately uninstall the D2A client.

"The presence of the D2A program could pose a residual risk," APRA said.

APRA also advised organisations to review system and data security measures and undertake additional checks for preventative security.

The decommissioning is precautionary, APRA said, and in line with its low risk tolerance for system vulnerabilities that could expose the authority or regulated entities to attacks.

At the same time, APRA said it was not aware of any security breaches or exploitation of its systems.

APRA released the cross industry prudential standard CPS 234 that came into force in July 2019 which, among other measures, requires regulated entities to have security controls commensurate with the sensitivity of the data they hold and to regularly test them.