Early findings from an expansive cyber resilience “stocktake” in the financial services sector reveal a “need to raise the bar”, the Australian Prudential Regulation Authority (APRA) said today. 

By the end of the year, more than 300 insurers, banks and superannuation trustees will have participated in APRA’s sweeping cyber assessment – the largest study of its kind to be conducted by the regulator. 

APRA today published the results of the first tranche of assessments, which covered just under a quarter of the entities it regulates.  

This exposed clear gaps, and APRA has outlined in detail the six most common failings detected, including incomplete identification and classification for critical and sensitive information; limited assessment of third-party information security capability; and inadequate control testing programs. 

Rounding out the top six gaps were incident response plans not regularly tested; limited internal audit of security controls; and inconsistent reporting of material incidents in a timely manner. 

APRA wants every insurer to review those common weaknesses and incorporate strategies to address shortfalls. 

“Some of the world’s largest brands have fallen victim to major data breaches in recent years. Rates of cybercrime have increased and criminal attacks have become more sophisticated. Australia has not been immune; recent, well-publicised cyberattacks are among the largest in the country’s corporate history,” APRA said. 

Last month, APRA lifted Medibank’s capital adequacy requirement by $250 million after reviewing a major October breach, and says it “continues to identify poor cyber security practices and inadequate oversight from boards and management, and will take further action to ensure entities address gaps and weakness in controls. 

The stocktake has found “varying levels of maturity” regarding identifying and classifying information assets. 

“Methodologies are not fully established … information in asset registers is not reviewed and updated regularly ... leading to incomplete and inaccurate information; and information assets managed by third parties are ... in some cases not identified at all,” APRA said.

It also says assessment plans for third parties have limited scope, or do not exist, or are based on self-assessment that are "not being retained to substantiate test conclusions.” 

"The nature and frequency of testing is not aligned to the criticality and sensitivity of information assets managed by third parties,” APRA said. 

The testing programs of entities are incomplete, inconsistent, lack independence and do not provide adequate assurance for management and the board, it says. 

"The nature and frequency of the testing is often not commensurate with the criticality and sensitivity of information assets.”  

Incident response plans were found to be incomplete and lack regular testing, while response playbooks had “limited plausible disruption scenarios.” Some auditors “lack the necessary information security skills,” while required incident reporting to APRA practices were "often inconsistent, unclear and, in some cases, not in place at all.”  

Frequently, “the process to ensure timely reporting is not established or not enforced,” APRA said, recommending that insurers have clear governance processes for escalating incidents. 

APRA says will further engage with the industry to lift the benchmark for cyber resilience across the Australian financial services industry, and work with any insurers and other entities that do not sufficiently meet code CPS 234 requirements. 

Insurers and other entities are currently participating in the second and third tranches of APRA’s assessment. The last tranche is expected to be rolled out later in the year. 

APRA's initial findings are available here.