Australia’s prudential supervisor has published the findings from the first tranche of assessments as part of its ongoing expansive study on cyber resilience in financial services.
The Australian Prudential Regulation Authority (APRA) is looking to examine more than 300 banks, insurers, and superannuation trustees by the end of 2023 in terms of their compliance with prudential standard CPS 234 Information Security (CPS 234), the purpose of which is to ensure that baseline prevention, detection, and response capability is in place.
The first tranche of CPS 234 assessments involved about 24% of APRA’s regulated entities. Currently taking place are the second and third tranches, while the fourth and final tranche is expected to be rolled out later in the year.
According to the partial findings from the first tranche, the most common gaps are incomplete identification and classification for critical and sensitive information assets; limited assessment of third-party information security capability; inadequate definition and execution of control testing programs; incident response plans not regularly reviewed or tested; limited internal audit review of information security controls; and inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.
Aside from identifying the common gaps, the regulator also outlined ways in which the gaps could be addressed, such as testing incident response plans at least annually to ensure they remain fit for purpose and having clear governance processes for escalating incidents and control weaknesses to relevant governance bodies.
“The decision to undertake the CPS 234 tripartite assessment sits as part of APRA’s 2020–2024 Cyber Security Strategy, starting with a small pilot that was completed in mid-2021,” APRA said. “Like the pilot, results from this first tranche of assessments highlight several concerning gaps across the industry.
“Where gaps are identified and breach reporting is undertaken, APRA intensifies its supervisory oversight. This helps to ensure entities remediate cyber resilience deficiencies and meet their CPS 234 obligations.”
What do you think about this story? Share your thoughts in the comments below.
