The initial tranche of APRA’s independent tripartite cyber assessment, which assessed around a quarter of the authority’s regulated entities, has highlighted several concerning gaps across the industry.
The independent tripartite cyber assessment – the largest study of its kind to be conducted by the prudential regulator – required APRA’s regulated entities to appoint an independent auditor to assess their compliance with CPS 234 Information Security (CPS 234), a prudential standard which ensures entities have baseline prevention, detection, and response capability to withstand cyber security threats.
APRA said it will increase its supervisory oversight where gaps are identified and breach reporting is undertaken, to ensure entities remediate cyber resilience deficiencies and meet their CPS 234 obligations.
The first round of assessments exposed the following control gaps:
- incomplete identification and classification for critical and sensitive information assets
- limited assessment of third-party information security capability
- inadequate definition and execution of control testing programs
- incident response plans not regularly reviewed or tested
- limited internal audit review of information security controls
- inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner
For more details regarding the findings, including what actions entities should take to address the gaps, visit the APRA website.
Moving forward
More than 300 banks, insurers, and superannuation trustees will have participated in the APRA’s assessment by the end of 2023. The second and third tranches are currently ongoing, with the fourth and final tranche to be rolled out later in the year.
“APRA encourages every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cybersecurity controls and governance policies,” the regulator said in a statement.
“APRA will continue to work with those entities that do not sufficiently meet CPS234 requirements, and will further engage with the industry to lift the benchmark for cyber resilience across the Australian financial services industry.”
Use the comment section below to tell us how you felt about this.