The Australian Prudential Regulation Authority (APRA) has released updated guidance on managing cyber crime and other information security risks.

It follows consultations with business earlier in the year to develop a new information security standard, amid a growing threat to the financial sector.

A key element of the standard concerns assessing the information security capabilities of all third parties that manage information on a company’s behalf. A third party being subject to regulatory oversight is not proof it can sufficiently manage cyber or security risks that may jeopardise information, APRA warns.

A combination of interviews, control testing and independent assessments and certifications will give insurers a view on third parties’ cyber security. Insurers must ensure any third party’s cyber security can protect against attacks on related companies engaged by that third party, the regulator says.

“The new standard and accompanying prudential practice guide will reinforce industry’s ability to withstand these information security threats, and respond effectively when breaches occur,” Executive Board Member Geoff Summerhayes said.

“It is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we’ve seen overseas, so they must be prepared.”

Aon recently warned that a growing reliance on third-party or fourth-party vendors and service providers has made it easier to attack supply chains.

In Britain 58% of companies have experienced data breaches via third parties, yet only 35% rate their third-party risk management program “highly effective”, the global broker says.