APRA raises expectations on cyber security
The Australian Prudential Regulation Authority (APRA) is stepping up its scrutiny of cyber-attack prevention and incident response plans, as the potential threat to areas it oversees increases.
“To date, no APRA-regulated entity has suffered material losses from a cyber incident and security controls have held up against past attacks, however, this should not provide grounds for complacency,” it says in its annual report.
The regulator says it is being proactive, taking action to lift supervisory activities and expectations for entities to take responsibility for cyber security.
“Weaknesses in this area significantly undermine the work being undertaken at the strategic security management level and unnecessarily increase an entity’s risk profile,” it says.
APRA is conducting a follow-up to a cyber-security survey conducted last year, and has started to develop a new information security prudential standard and to update a practice guide.
It is also keeping an eye on NSW compulsory third party (CTP) claims following the recent rise, and will watch the impact of reforms.
“APRA has been monitoring the potential for this adverse claims trend to emerge in the CTP schemes in other states and other long-tail classes of business and ensuring insurers are also monitoring this risk,” it says.
Last financial year the regulator conducted its first general insurance stress test with the four largest primary insurers and two largest reinsurers, with scenarios involving earthquake claims and CTP.
Most needed to improve modelling capabilities for APRA’s multi-year scenarios and accommodate “the granular parameters” supplied in the CTP claims stress, while governance arrangements were found to be reasonably sound.
APRA has also started a “thematic review” of insurers’ planning for recovery from a period of severe adversity. It will provide guidance to insurers included in the review and will then examine and benchmark submitted recovery plans.
Last financial year the largest five general insurers accounted for 55% of gross written premium, compared with 42% a decade earlier, APRA says in the report.
Concentration is higher in the personal lines market, with commercial market shares generally lower due to the large presence of foreign insurers.
In reinsurance, the two largest players account for 76% of the market.
At the end of June there were 104 APRA-authorised insurers, comprising 81 primary, nine reinsurers and 14 insurers only authorised to conduct run-off business.
Five authorised general insurers left the market, continuing a recent steady fall, but APRA says this reflects groups rationalising licences from acquisitions, rather than a significant reduction in capacity or withdrawal of underwriters.