The Australian Prudential Regulation Authority (APRA) has published preliminary findings from its first round of audits assessing compliance with prudential standard CPS 234 Information Security (CPS 234).
The review aims to ensure APRA-regulated banks, insurers, and superannuation trustees have baseline prevention, detection, and response capability to withstand cyber threats amid a rise in malicious activity, which has impacted major Australian brands, including health insurance giant Medibank.
APRA’s first round of audits has identified six key gaps in the cyber security safeguards of regulated entities:
- incomplete identification and classification for critical and sensitive information assets;
- limited assessment of third-party information security capability;
- inadequate definition and execution of control-testing programs;
- incident response plans not regularly reviewed or tested;
- limited internal audit review of information security controls; and
- inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.
Entities with inadequate cyber security safeguards are expected to be subject to heightened supervision from the prudential regulator.
“APRA encourages every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies,” APRA noted.
“APRA will continue to work with those entities that do not sufficiently meet CPS 234 requirements and will further engage with the industry to lift the benchmark for cyber resilience across the Australian financial services industry.”
APRA is currently conducting the second and third tranches of its assessment, with the fourth and final tranche due to commence later this year.
In total, approximately 300 banks, insurers, and superannuation funds are expected to be subject to the APRA assessments.
The release of findings from the first round of its investigations comes just weeks after APRA released its 2023 Stakeholder Survey, which sought feedback from 282 entities from across the banking, insurance, and superannuation industries.
The survey revealed 98 per cent of respondents believe APRA’s supervision has benefited their industry, up from 95 per cent in the previous survey published in 2021.
Further, 94 per cent said APRA’s oversight helps protect financial wellbeing, while 90 per cent said APRA’s supervision enhances the firm’s financial and operational strength.
However, when compared to previous surveys, fewer entities believe APRA effectively pursues financial safety, “balanced with considerations of efficiency, competition, contestability and competitive neutrality, and promotes financial stability”, down from 81 per cent in 2021 to 66 per cent.
Respondents also lamented the cost burden associated with compliance with APRA prudential standards, with just 27 per cent of entities believing changes to APRA’s prudential framework have “sufficiently considered the costs of regulation”.
The lowest reading was among firms from the superannuation industry, with just 6 per cent satisfied with the regulator’s consideration of cost burdens.
The strongest reading, albeit relatively weak, was from authorised deposit-taking institutions (36 per cent).
“As a statutory authority, APRA is accountable to the Parliament and Australian people, however we also welcome confirmation that the banks, insurers and superannuation licensees we supervise continue to endorse the work we do to uphold their prudential soundness and overall financial system stability,” chair John Lonsdale said.
“Recent bank collapses in the US and Europe, and the ongoing spate of serious cyber attacks, underscore the importance of our prudential framework continuing to evolve in response to new and accelerating risks.
“However, we also hear the message that industry would like us to better balance the positive impact of supervision with the cost and burden of regulation. APRA will reflect on all the survey findings as we shape our future policy and supervision agenda.”