APRA outlines new cyber strategy, flags enforcement action
The Australian Prudential Regulation Authority (APRA) has warned it will take enforcement action against insurers and other financial services providers that fail to comply with their cyber security obligations.
APRA issued the warning as it outlines a new plan to strengthen the defences of the financial system against digital attacks.
Under the new plan, boards and executives will oversee and direct correction of cyber exposures; a baseline of cyber controls will be set up; and weak links within the broader financial eco-system and supply chain will be rectified.
Executive Board Geoff Summerhayes made the announcements last week at a business forum, where he said “it’s only a matter of time” until a major incident of material consequences hit an APRA-regulated insurer, bank or superannuation fund.
While the financial industry takes cyber risk seriously, there is room for improvement.
“Our vision is for a financial system that can stand firm against cyber attacks,” Mr Summerhayes said. “To successfully implement our new strategy, APRA will need to continue to evolve and strengthen its regulatory and supervisory approach to cyber risk.
“In the face of an enemy that is constantly seeking new ways to breach our defences, we are exploring a range of innovative tools and techniques aimed at dialling up our supervision and scrutiny of financial institutions.”
The sudden shift to remote working because of the pandemic has created an increasingly hostile cyber risk environment, he says. APRA has seen no obvious signs of an increase in adversaries targetting insurers or other financial services providers, but this is not cause for complacency.
He says it can take months or years for some attacks to be detected and major financial institutions ward off attempted cyber attacks on a daily basis.
APRA plans to collect more data in new areas to better understand the cyber threat, and share that knowledge to enable industry self-assessment and benchmarking.
It is looking to partner with academia to research issues such as measuring and benchmarking cyber resilience, and exploring more formal threat intelligence sharing among domestic and international regulators to better inform its activities.
Starting next year the regulator will be asking boards to engage an external audit firm to conduct a review of their firms’ compliance with CPS 234, a prudential standard that sets out how information security threat must be addressed.
Mr Summerhayes says consistent evidence showed many entities are failing to adequately comply with the standard since it came into effect last year.
“This is one area where APRA can no longer hold off tightening the regulatory screws,” he said. “In light of evidence that boards frequently don’t understand or are not adequately informed about cyber risks, we’re no longer prepared to simply take their words for it.
“If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action.”