The Australian Prudential Regulation Authority (APRA) says reviews it has asked banking, insurance and superannuation groups to complete have shown cyber security improvements are needed in areas including safeguards to protect sensitive customer data.

APRA has asked firms to review their response to the regulator’s first prudential standard focussed on cyber, widening the exercise after an initial pilot group of audits.

“Given recent cyber breaches affecting a broad number of Australians, boosting cyber resilience remains one of APRA’s top priorities,” Chair John Lonsdale said at an Australian Financial Review banking summit today.

“Yet our analysis of the first tranche of results from the reviews show that entities have more work to do and that there is a need to continuously raise the bar on cyber preparedness and resilience across banking, insurance and superannuation.”

Areas for improvement include a lack of rigour in the nature and frequency of security control testing, insufficient board oversight on cyber, incident response plans not regularly reviewed or tested, insufficient safeguards to protect sensitive customer data, and inadequate service provider oversight arrangements.

APRA is also in the process of finalising prudential standard CPS 230 Operational Risk Management, which will replace five existing standards for business continuity and outsourcing.

Mr Lonsdale says cyber is just one of many risks.

“Our regulated entities must ensure they effectively identify and manage all operational risks, are able to continue to deliver critical operations during disruptions, and prudently manage the risks of service providers,” he said.

“If avoiding a costly and damaging cyber incident or other operational risk event is not enough of a carrot, APRA is prepared to wield the stick and take enforcement action if necessary.”

Mr Lonsdale says one aspect of recent events affecting banks overseas has been the sheer speed of developments, while more generally the environment has become more volatile.

“Over recent years, we have seen an increased frequency of events outside the scope of what financial institutions typically model for: fluctuations in commodity prices that we’ve rarely seen before, sharper movements in interest rates and a higher number of extreme weather events,” he told the banking event.

“The causes and impact of this greater financial volatility is something we as regulators also need to examine.”