The Australian Prudential Regulation Authority (APRA), has just announced its Cyber Security Strategy for 2020-2024, aiming to make a considerable change to Australia’s financial system cyber resilience. The strategy serves as an indisputable warning to institutions across banking, insurance and superannuation that cyber security needs more intense focus.
To date, no APRA institution has suffered a substantial cyber attack; however, it could only be a matter of time until that changes. While there have been no obvious signs of an increase in cyber attacks on financial institutions due to COVID-19, it is a sign that risk continues to escalate. There is a growing danger from the shift to remote working and the transition to a digital economy. In a speech regarding the revised strategy, Executive Board Member, Geoff Summerhayes, warned that the financial system is only as strong as its weakest link. The clear message is that this is no time for complacency.
However, despite the clear risks, there are significant issues within the banking, insurance and superannuation industries. The regulator has noticed an ongoing lack of visibility and understanding at board level with an absence of basic cyber hygiene practices in some instances. While the risk of a cyber attack is far from a new threat, boards and management don’t appear to be properly equipped to oversee the risk and take the necessary action. Moreover, the severity of risk seems to be badly interpreted compared to risk in other areas of business.
The core aim of APRA’s new Cyber Security Strategy is to eradicate unnecessary or careless cyber exposures. The strategy aims to tackle the lack of awareness by lifting security standards and introducing higher accountability. The prudential watchdog plans to apply a broader set of regulatory tools, leaning on peer regulators and government agencies to impose accountability on any entity that fails to comply with the legally- binding obligations.
There are three principal aims to the strategy:
Up until now, APRA has held off tightening enforcement. However, with so much evidence that entities are failing to comply with legislation, the new Cyber Security Strategy will change that and highlight the seriousness of the issue. There will be a much more targeted and supervisory approach with greater accountability for boards and management. This will start with a sharpening of CPS 234 compliance enforcement. The main things that APRA regulated businesses should be aware of are:
While it’s not yet clear which entities will need to engage external audits for CPS 234 compliance, everyone should prepare accordingly. And regardless, it’s clearly time to take a united approach to protect the wider financial ecosystem.
As in every industry, banking, insurance, and superannuation are facing a constantly evolving enemy. To avoid defences being breached, the industry needs to dial up its supervision and scrutiny of financial institutions. After all, a cyber breach in any part of the system will impact on every business. Everyone is connected, and as that inter-connectivity continues to grow, so does the risk.
Whilst interconnectivity may be part of the problem, according to APRA, it could also offer the solution. In a world where an attack on one could be an attack on all, businesses have an opportunity to battle together. By sharing expertise, pooling resources, and taking prompt action to fix weak links, the chain becomes much stronger and, ultimately, harder to infiltrate.
For more information on what Infotrust can do for your cyber security, contact us today.