Shock APRA Findings

17 July 2023

The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance, and superannuation and promotes financial system stability in Australia. 

Under CPS 234 obligations implemented in July 2019, APRA regulated entities are mandated to improve cyber security resilience by “maintaining an information security capability commensurate with information security vulnerabilities and threats.”

Despite presenting abundant guidance regarding how public-sector organisations should improve their cyber security practices, a recent industry audit found that 76 percent of entities had not fully implemented the guidance of Protective Security Policy Framework (PSPF) Policy 10. The recommendations include implementing the Essential Eight cyber security mitigation strategies.

The early findings of the large-scale security assessment uncovered systemic weaknesses in key areas, including the management of third-party contracts and the protection of sensitive data throughout supply chains. The investigation covers more than 300 Australian banks, insurers, and superannuation trustees with the full report due by the end of 2023. Upon conclusion, this will be the largest study of its kind to be untaken by APRA.  

The initial findings identified some common gaps across the sector including incomplete identification and classification of critical digital assets, poor assessment of third-party risks, inadequate control testing programs, irregular and inadequate incident response planning, inadequate internal security auditing, and inconsistent reporting of material incidents to APRA within a timely fashion.  

The results are a wake-up call for all private sector entities, not just those that fall under APRA’s jurisdiction. They confirm many of the weaknesses Intalock encounters during its risk assessment and reporting work. The findings highlight the common need for external expertise when grappling with legislative requirements and the ever-present cyber security threats posed by sophisticated hackers.

APRA recommends annual incident response testing as a minimum requirement and the development of clear planning procedures to respond to any incident. This includes clear reporting guidelines to all relevant oversight agencies. The classification of organisational data into risk groups and the threats posed by third-party agreements are key areas that all corporate entities should address as a matter of utmost urgency. Without knowledge regarding the information assets being handled by third parties, there remains a pressing potential threat that cannot be ignored. 

The release of APRA’s complete findings is sure to include further recommendations for Australian companies within the financial sector. While this sector has long been a target for hackers, it should be noted that health and aged care providers and other data rich organisations are now some of the most susceptible to potential breach.  

For more information about assembling a comprehensive cyber security strategy that will satisfy regulators and protect your organisation’s data, contact Intalock today.     

back to blog