Blog

APRA’s New Cyber Security Strategy: What It Means For Your Business

Cyber Defence Team
December 7, 2020
Home

Let's Get STARTED

The Australian Prudential Regulation Authority (APRA), has just announced its Cyber Security Strategy for 2020-2024, aiming to make a considerable change to Australia’s financial system cyber resilience. The strategy serves as an indisputable warning to institutions across banking, insurance and superannuation that cyber security needs more intense focus.

WHY HAS APRA REVISED ITS STRATEGY?

To date, no APRA institution has suffered a substantial cyber attack; however, it could only be a matter of time until that changes. While there have been no obvious signs of an increase in cyber attacks on financial institutions due to COVID-19, it is a sign that risk continues to escalate. There is a growing danger from the shift to remote working and the transition to a digital economy. In a speech regarding the revised strategy, Executive Board Member, Geoff Summerhayes, warned that the financial system is only as strong as its weakest link. The clear message is that this is no time for complacency.

However, despite the clear risks, there are significant issues within the banking, insurance and superannuation industries. The regulator has noticed an ongoing lack of visibility and understanding at board level with an absence of basic cyber hygiene practices in some instances. While the risk of a cyber attack is far from a new threat, boards and management don’t appear to be properly equipped to oversee the risk and take the necessary action. Moreover, the severity of risk seems to be badly interpreted compared to risk in other areas of business.

WHAT IS THE AIM OF APRA’S STRATEGY?

The core aim of APRA’s new Cyber Security Strategy is to eradicate unnecessary or careless cyber exposures. The strategy aims to tackle the lack of awareness by lifting security standards and introducing higher accountability. The prudential watchdog plans to apply a broader set of regulatory tools, leaning on peer regulators and government agencies to impose accountability on any entity that fails to comply with the legally- binding obligations.

There are three principal aims to the strategy:

  1. Establish a baseline of cyber controls – by reinforcing non-negotiable cyber practices, facilitating better information sharing and enabling more effective incident response processes.
  2. Enable boards and executives to oversee and correct cyber exposures – by formulating sound practice guidance, improving the skillset and resource of internal audit functions and boosting APRA’s scrutiny of cyber oversight practices.
  3. Rectify weak links within the broader financial ecosystem – by extending influence beyond banks, insurance and superannuation to cover a wide range of services and raising the level of maturity in supplier procurement.

WHAT DOES THE STRATEGY MEAN FOR APRA REGULATED BUSINESSES?

Up until now, APRA has held off tightening enforcement. However, with so much evidence that entities are failing to comply with legislation, the new Cyber Security Strategy will change that and highlight the seriousness of the issue. There will be a much more targeted and supervisory approach with greater accountability for boards and management. This will start with a sharpening of CPS 234 compliance enforcement. The main things that APRA regulated businesses should be aware of are:

  • Requirement for external audit – boards must engage an external audit firm to review their CPS 234 compliance next year. This will be conducted against the new prudential standard, and compliance should be reported back to APRA.
  • Investment required in cyber security skills – there will be a requirement for more cyber security skills across boards and internal audit functions. This will require investment to ensure internal audit teams can step up.
  • Extended APRA reach – APRA currently only supervises 680 financial entities, markets, and infrastructure directly. It aims to regulate the wider ecosystem of 17,000 interconnected entities, including non-banks, to build stronger third-party assurance practices.
  • Breach notices will be enforced – breach notices will be issued more widely for non-compliance issues and, if not resolved in a timely manner, formal enforcement may be used.

While it’s not yet clear which entities will need to engage external audits for CPS 234 compliance, everyone should prepare accordingly. And regardless, it’s clearly time to take a united approach to protect the wider financial ecosystem.

THE IMPORTANCE OF A UNITED FRONT

As in every industry, banking, insurance, and superannuation are facing a constantly evolving enemy. To avoid defences being breached, the industry needs to dial up its supervision and scrutiny of financial institutions. After all, a cyber breach in any part of the system will impact on every business. Everyone is connected, and as that inter-connectivity continues to grow, so does the risk.

Whilst interconnectivity may be part of the problem, according to APRA, it could also offer the solution. In a world where an attack on one could be an attack on all, businesses have an opportunity to battle together.  By sharing expertise, pooling resources, and taking prompt action to fix weak links, the chain becomes much stronger and, ultimately, harder to infiltrate.

For more information on what Infotrust can do for your cyber security, contact us today.