The Australian Prudential Regulation Authority has again written to insurers giving guidance on common cyber control weaknesses. 

The advice follows a letter sent in June and details common issues with the management of privileged access and testing of security measures.

“APRA expects regulated entities to review their control environment against these common weaknesses and address any identified gaps promptly,” GM operational resilience Alison Bliss says in the letter.

“If the review identifies gaps that could materially impact the entity’s risk profile or financial soundness, APRA considers this a material security control weakness notifiable under ... CPS 234 Information Security.”

Insurers must “remain vigilant and proactively implement strategies to mitigate risks posed by the evolving and escalating cyber threat landscape”, Ms Bliss says.  

They should ensure “strength of identification and authentication is commensurate with the impact should an identity be falsified”. 

APRA recommends insurers conduct regular self-assessments and adopt mitigation measures from established cyber safety strategies.

Tips include timely remediation of threats caused by insecure configuration of information assets, maintaining full records of all privileged accounts and granting only temporary data access when a valid business need exists.

APRA also recommends a variety of contemporary security tests, and says insurers should report the results to the appropriate governing body or individual, and formally track associated follow-up actions.

See the letter here.