The prudential regulator has urged insurers to check for gaps in their cyber controls amid an “evolving and escalating” threat landscape.

Australian Prudential Regulation Authority GM operational resilience Alison Bliss says companies must “remain vigilant and proactively implement strategies to mitigate risks”.

The letter to insurers follows a similar memo sent in June and details common issues with the management of privileged access and testing of security measures.

“APRA expects regulated entities to review their control environment against these common weaknesses and address any identified gaps promptly,” Ms Bliss says.

“If the review identifies gaps that could materially impact the entity’s risk profile or financial soundness, APRA considers this a material security control weakness notifiable under ... CPS 234 Information Security.”

Insurers should ensure “strength of identification and authentication is commensurate with the impact should an identity be falsified”. 

APRA recommends insurers conduct regular self-assessments and adopt mitigation measures from established cyber safety strategies. Tips include timely remediation of threats caused by insecure configuration of information assets, maintaining full records of all privileged accounts and granting only temporary data access when a valid business need exists.

See the letter here.