The Australian Prudential Regulation Authority (APRA) has warned that its newly released cyber security strategy requires more intense focus from financial firms. The regulator has ordered insurers, banks, and super funds to conduct urgent audits against the new prudential standard to ensure they’re compliant.
APRA’s new five-year cybersecurity strategy extends the regulator’s influence into non-banks, including third-party IT suppliers, fund managers, and payment companies, to defend the financial system from the growing threat of cyber attackers.
“Our view that it’s only a matter of time until a major incident occurs hasn’t changed. In light of evidence that boards frequently don’t understand or are not adequately informed about cyber risks, we’re no longer prepared to simply take their words for it – we want compliance independently verified,” said APRA executive Geoff Summerhayes, as reported by the Australian Financial Review (AFR).
He emphasised that it’s “only a matter of time” before hackers hit a major financial institution. Therefore, bank boards should engage an external audit firm to review compliance with the regulator’s prudential standard on cybersecurity, known as CPS 234.
APRA also calls for more investment into internal audit teams to police standards, and for much stricter vetting of third-party suppliers.
“If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action,” Summerhayes said.
“In an environment where an attack on one of us could be an attack on any of us, our financial system is only as resilient to cyberattacks as the weakest link in the chain. By working together, we can actually capitalise on our increased connectivity to strengthen the chain and protect ourselves by protecting each other.”