APRA’s New Cyber Security Strategy: What it Means For Your Business
The Australian Prudential Regulation Authority (APRA), has just announced its Cyber Security Strategy for 2020-2024, aiming to make a considerable change to Australia’s financial system cyber resilience. The strategy serves as an indisputable warning to institutions across banking, insurance and superannuation that cybersecurity needs more intense focus.
Why Has APRA Revised Its Strategy?
To date, no APRA institution has suffered a substantial cyber attack; however, it could only be a matter of time until that changes. While there have been no obvious signs of an increase in cyber attacks on financial institutions due to COVID-19, it is a sign that risk continues to escalate. There is a growing danger from the shift to remote working and the transition to a digital economy. In a speech regarding the revised strategy, Executive Board Member, Geoff Summerhayes, warned that the financial system is only as strong as its weakest link. The clear message is that this is no time for complacency.
However, despite the clear risks, there are significant issues within the banking, insurance and superannuation industries. The regulator has noticed an ongoing lack of visibility and understanding at board level with an absence of basic cyber hygiene practices in some instances. While the risk of a cyber attack is far from a new threat, boards and management don’t appear to be properly equipped to oversee the risk and take the necessary action. Moreover, the severity of risk seems to be badly interpreted compared to risk in other areas of business.
What is the Aim of APRA’s Strategy?
The core aim of APRA’s new Cyber Security Strategy is to eradicate unnecessary or careless cyber exposures. The strategy aims to tackle the lack of awareness by lifting security standards and introducing higher accountability. The prudential watchdog plans to apply a broader set of regulatory tools, leaning on peer regulators and government agencies to impose accountability on any entity that fails to comply with the legally- binding obligations.
There are three principal aims to the strategy:
- Establish a baseline of cyber controls – by reinforcing non-negotiable cyber practices, facilitating better information sharing and enabling more effective incident response processes.
- Enable boards and executives to oversee and correct cyber exposures – by formulating sound practice guidance, improving the skillset and resource of internal audit functions and boosting APRA’s scrutiny of cyber oversight practices.
- Rectify weak links within the broader financial ecosystem – by extending influence beyond banks, insurance and superannuation to cover a wide range of services and raising the level of maturity in supplier procurement.
What Does the Strategy Mean for APRA Regulated Businesses?
Up until now, APRA has held off tightening enforcement. However, with so much evidence that entities are failing to comply with legislation, the new Cyber Security Strategy will change that and highlight the seriousness of the issue. There will be a much more targeted and supervisory approach with greater accountability for boards and management. This will start with a sharpening of CPS 234 compliance enforcement. The main things that APRA regulated businesses should be aware of are:
- Requirement for external audit – boards must engage an external audit firm to review their CPS 234 compliance next year. This will be conducted against the new prudential standard, and compliance should be reported back to APRA.
- Investment required in cybersecurity skills – there will be a requirement for more cybersecurity skills across boards and internal audit functions. This will require investment to ensure internal audit teams can step up.
- Extended APRA reach – APRA currently only supervises 680 financial entities, markets, and infrastructure directly. It aims to regulate the wider ecosystem of 17,000 interconnected entities, including non-banks, to build stronger third-party assurance practices.
- Breach notices will be enforced – breach notices will be issued more widely for non-compliance issues and, if not resolved in a timely manner, formal enforcement may be used.
While it’s not yet clear which entities will need to engage external audits for CPS 234 compliance, everyone should prepare accordingly. And regardless, it’s clearly time to take a united approach to protect the wider financial ecosystem.
The Importance of a United Front
As in every industry, banking, insurance, and superannuation are facing a constantly evolving enemy. To avoid defences being breached, the industry needs to dial up its supervision and scrutiny of financial institutions. After all, a cyber breach in any part of the system will impact on every business. Everyone is connected, and as that inter-connectivity continues to grow, so does the risk.
Whilst interconnectivity may be part of the problem, according to APRA, it could also offer the solution. In a world where an attack on one could be an attack on all, businesses have an opportunity to battle together. By sharing expertise, pooling resources, and taking prompt action to fix weak links, the chain becomes much stronger and, ultimately, harder to infiltrate.
For more information on what InfoTrust can do for your cybersecurity, contact us today.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help