iTnews

APRA targets cyber hygiene and board oversight with new security strategy

By Tess Bennett on Nov 27, 2020 11:28AM
APRA targets cyber hygiene and board oversight with new security strategy

Toughens cyber stance.

APRA has unveiled a new cyber security strategy and flagged it will step up its review of current cyber compliance, holding boards accountable for shortfalls. 

The prudential regulator’s cyber security strategy for 2020 to 2024 seeks to lift cyber security standards and introduce heightened accountability where companies fail to meet their legally binding requirements. 

In a speech to the Financial Services Assurance Forum yesterday, Geoff Summerhayes, executive board member of APRA said the new strategy seeks to safeguard an increasingly connected network of financial entities, increase board oversight and improve basic cyber hygiene practices.  

Summerhayes said APRA wants to “eradicate unnecessary or careless cyber exposures” by establishing a baseline of cyber controls. It is starting with sharpening its enforcement CPS 234 compliance. 

CPS 234 was introduced last year to shore up the sector's cyber resilience and requires banks, insurers and superannuation funds to maintain security capabilities, conduct regular tests and notify the regulator if incidents occur. 

Boards will be required to engage an external audit firm to review CPS 234 compliance next year after the regulator identified many entities are failing to adequately comply with the rules. 

While APRA previously made concessions to reduce the regulatory burden so the industry could focus on its pandemic response, Summerhayes said “this is one area where APRA can no longer hold off tightening the regulatory screws". 

“It’s close to 18 months since CPS 234 came into effect, and we are still seeing too many basic cyber hygiene issues across the industry,” Summerhayes said.  

“We are also going to take a much more targeted approach to ensuring CPS 234 is being fully complied with, and holding boards and management accountable where it is not.” 

Summerhayes also called for more cybersecurity skills across boards and internal audit functions. 

“Too many boards still lack visibility or understanding of the problems, while internal audit functions can lack the specialist skills to challenge boards and management to plug urgent gaps,” he said.    

“Cyber risk is hardly a new threat, yet many boards across our regulated population are still not properly equipped to oversee cyber matters and direct corrective action where necessary.” 

The strategy will formulate enhanced cyber guidance for board members, internal auditors, and risk management professionals. 

A complex network 

The new strategy also aims to extend APRA’s reach beyond the 680 entities it regulates to a wider ecosystem of 17,000 interconnected financial entities, markets, and infrastructure that provide products and services to consumers.  

“We know that a cyber breach in any part of the system – such as an insurance broker, a credit ratings agency, an IT service provider or ATM repair service – can have a cascading impact on the whole system.” 

APRA will develop stronger third-party provider assessment and assurance practices for use by APRA-regulated entities, raising the level of maturity in the supplier procurement and oversight practices. 

Despite the heightened cyber risks, Summerhayes said there is “no obvious sign” of an increase in cyber adversaries targeting banks, insurers or super funds throughout COVID-19 remote work. 

“This is not cause for complacency, given it can take months or years for some cyber attacks to be detected, while we are acutely aware that our major financial institutions ward off attempted cyber-attacks on a daily basis,” he said. 

Summerhayes noted the cyber risks continue to accelerate and APRA’s mission is to “make a step change in Australia’s financial system cyber resilience”.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
apraauditbankingboardscompliancecps 234cyber securityfinancegeoff summerhayesinsurancesecuritysuperannuation

Partner Content

Don't miss Australia’s premiere IoT Conference on 9th June
Promoted Content Don't miss Australia’s premiere IoT Conference on 9th June
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
Alienated from your own data? You’re not alone
Promoted Content Alienated from your own data? You’re not alone
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Tess Bennett
Nov 27 2020
11:28AM
0 Comments

Related Articles

  • ASIC moves to shut some recourse avenues for scam victims
  • ASIC finds supply chain security risk still weighing on finance sector
  • Australia's insurers, banks alarmed at having to pay victims for data breaches
  • Westpac taps 10x Banking to power new institutional platform
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless

Digital Nation

COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.