APRA Cyber Security Review Exposes Significant Gaps in Security

APRA Regulation of Cyber Security

The Australian Prudential Regulation Authority (APRA) was established as an independent statutory authority that supervises institutions across banking, insurance and superannuation, and is accountable to the Australian Parliament.

In 2019 APRA released Prudential Standard CPS 234 Information Security (Prudential Standard).

The Prudential Standard governs cyber security and covers a range of topics including:

  • the role and responsibilities of Boards;
  • information security capability and policy frameworks;
  • information assets and controls;
  • incident management;
  • testing and internal audit; and
  • notifying APRA of data breaches and information security incidents.

The Prudential Standard explains that Boards of APRA regulated entities must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets and which enables the continued sound operation of the entity.

A guide to the CPS 234 can be found HERE.

Cyber Security Study

In July 2023, APRA released the first results arising from a study which reviewed 300 banks, insurers, and superannuation trustees’ compliance with the Prudential Standard, through an independent tripartite cyber assessment. Each of the APRA regulated entities were required to appoint an independent auditor to assess their compliance with the Prudential Standard.

Key Findings

The results identified a number of areas for improvement, with APRA commenting that there were several concerning gaps across the industry. Common gaps found included:

Control testing programs

APRA regulated entities must test the effectiveness of their information security controls through a systematic testing program. APRA explained that entities must adopt a variety of testing approaches; define clear success criteria; and conduct testing by appropriately skilled and functionally independent specialists who do not have operational responsibility for the controls being validated.

Incident response plans

APRA regulated entities must also maintain plans to respond to information security incidents that the entity considers could plausibly occur. To address gaps, entities must ensure their incident response plans (including those operated by third parties) are tested at least annually to ensure they remain fit-for-purpose.

Identification and classification of information assets

APRA explained that companies need to implement comprehensive asset classification policies which define what data is critical and sensitive. Further, companies should review and update asset registers regularly.

Internal audit reviews of information security controls

An APRA regulated entity’s internal audit activities must include a review of the effectiveness of information security controls, including those maintained by third parties.

Gaps identified included limited review of third party-operated information and internal auditors performing control testing lacking the necessary information security skills.

Notification of material incidents and control weaknesses

APRA must be notified of material incidents and control weaknesses in every entity’s cyber security system. The assessment found that the reporting process to APRA is often inconsistent, unclear and, in some cases, not in place at all. 

Information security controls of third parties

Companies need to understand which information assets are managed by third parties and understand the controls that the third parties have in place.

Third party control effectiveness can be tested through a combination of interviews, surveys, control testing, certifications, contractual reviews, attestations, referrals, and independent assurance assessments.

Lavan Comment

APRA has encouraged entities to review their cyber security strategy and incorporate relevant plans to address shortfalls in their cyber security controls and governance policies.

If you or your business would like further advice or assistance on how you can minimise any risk with respect to the cyber security of your business or need assistance complying with the Prudential Standard, please reach out to Iain Freeman or Kristy Yeoh.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.