Key points
Rates of cybercrime have increased and criminal attacks have become more sophisticated.
APRA is assessing the ability and security of our finance organisations including super funds.
Serious security gaps have been found.
Serious gaps have been identified in the security of Australia’s financial systems, leading the financial regulator to clamp down on non-compliance.
Over recent years, some of the country’s and world’s largest brands have fallen victim to major cybercrime and hacking. Rates of cybercrime have increased and criminal attacks have become more sophisticated.
These crimes have impacted many seniors and shaken their confidence in financial institutions.
To raise the bar against these attacks, more than 300 banks, insurers, and superannuation trustees are participating in an independent cyber assessment – the largest study of its kind to be conducted by the Australian Prudential Regulation Authority (APRA).
APRA has required all participants to appoint an independent auditor to assess their compliance with its prudential standards.
The purpose is to ensure that regulated entities have baseline prevention, detection and response capability to withstand cyber security threats.
Where gaps are identified and breach reporting is undertaken, APRA says it will intensify its supervisory oversight.
After the first round of assessment, the most common control gaps found were:
Incomplete identification and classification for critical and sensitive information assets. Without proper identification and classification, it can be difficult for entities to determine the appropriate information security controls to protect critical and sensitive data from unauthorised access or disclosure. Gaps indicated financial organisations may not be able to protect critical and sensitive data.
Limited assessment of third-party information security capability. This is a concern as entities are relying on service providers to manage critical systems. In some cases, information security control plans do not exist.
Inadequate control testing. In many cases the testing programs are incomplete, inconsistent, and lack independence.
Incident response plans not regularly reviewed or tested. These plans are incomplete and lack regular testing and review.
Limited internal audit review of information security controls. Internal audit assessment of third-party information security controls is limited across the industry. In some cases, internal auditors performing control testing lack the necessary information security skills.
Inconsistent reporting of material incidents and control weaknesses to APRA. APRA must be notified of material incidents and control weaknesses in every entity’s cyber security system. However, reporting to APRA is often inconsistent, unclear or not in place at all.
Financial organisations are now participating in the second round of APRA’s assessment, and the final round is expected to be rolled out later in the year.
In a statement on its website, APRA says it encourages “every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies”.
APRA says it will work with organisations that fail its requirements and will further engage with the industry to lift the benchmark for cyber resilience across the financial services industry.
Source: APRA
