APRA cyber stocktake finds ‘varying levels of maturity’
The Australian Prudential Regulation Authority (APRA) is encouraging every insurer to review common cyber resilience weaknesses identified in a sector-wide “stocktake,” and to incorporate strategies to address shortfalls.
APRA published the results of the first tranche of assessments, which covered just under a quarter of the entities it regulates. More than 300 insurers, banks and superannuation trustees will have participated in APRA’s sweeping cyber stocktake by the end of the year.
It has so far found “varying levels of maturity” regarding identifying and classifying information assets.
“Methodologies are not fully established … information in asset registers is not reviewed and updated regularly ... leading to incomplete and inaccurate information,” APRA said, adding that information assets managed by third parties is “in some cases not identified at all” or often based on self-assessment that are "not being retained to substantiate test conclusions”.
APRA says the financial services sector needs to “raise the bar” in managing cyber risks as there are clear gaps.
It outlined in detail the most common failings detected.
Testing of cyber programs were incomplete, inconsistent, lack independence and do not provide adequate assurance for management and the board, it says.
"The nature and frequency of the testing is often not commensurate with the criticality and sensitivity of information assets,” APRA said.
Response playbooks had “limited plausible disruption scenarios,” some auditors “lack the necessary information security skills,” while required incident reporting to APRA practices were "often inconsistent, unclear and, in some cases, not in place at all”.
It recommends insurers have clear governance processes for escalating incidents and says it will further engage with the industry to lift the benchmark for cyber resilience across the Australian financial services industry, and work with any insurers and other entities that do not sufficiently meet code CPS 234 requirements.
Last month, APRA lifted Medibank’s capital adequacy requirement by $250 million after reviewing a major October breach, and says it continues to identify poor cyber security practices and inadequate oversight from boards and management, and will take further action to ensure entities address gaps and weakness in controls.