No finish line for cyber security: APRA
Insurers and other financial institutions must keep tightening cyber security as threats become more sophisticated, the Australian Prudential Regulation Authority (APRA) warns.
“There is no finish line for cyber-security risk management: it is a necessary discipline with no room for complacency and will require ongoing vigilance, improvement, investment and oversight,” the regulator says.
APRA has published an information paper on the issue after surveying 37 regulated entities and four service providers between October last year and March.
So far no regulated group has suffered material losses from a cyber incident and security controls have held up against attacks, but the threat is growing, it says.
“As a result of the expanding sophistication, frequency and impact of cyber attacks, APRA-regulated entities should expect to experience significant cyber-security incidents and be prepared for an evolving range of threats.”
APRA intends to raise supervisory and regulatory expectations that require entities to secure against cyber threats and better identify and remediate attacks.
The survey found 46% of life and general insurance respondents experienced at least one cyber-security incident in the previous year that was serious enough to warrant executive management involvement.
In the superannuation sector, 75% of respondents reported an incident.
Incidents included advanced persistent threats that involve sophisticated, covert and continuous computer hacking.
Denial-of-service attacks – in which a flood of fake requests prevent legitimate access to digital services by customers or business partners – were also a problem.
Ransomware attacks were reported as an increasing threat, while reputation-damaging incidents such as website defacement and social media account misuse were experienced by about one in eight respondents.
APRA has urged greater engagement with government, peers and service providers.
“All regulated entities should consider establishing links with the Australian Cyber Security Centre if they have not already done so.”