APRA releases new cybersecurity strategy

The Australian Prudential Regulation Authority (APRA) has released its Cyber Security Strategy for 2020 to 2024. The strategy seeks to lift cybersecurity standards further and introduce heightened accountability where companies fail to meet their legally binding requirements. Most notably, it also aims to extend APRA’s reach beyond its regulated entities to influence the broader eco-system of suppliers and providers they rely upon.

In a speech to the Financial Services Assurance Forum, APRA Executive Board Member Geoff Summerhayes stated: “To date, no APRA-regulated bank, insurer or superannuation fund has suffered a material cyber breach, but our view that it’s only a matter of time until a major incident occurs hasn’t changed. Although the financial industry takes cyber risk seriously, there is room for improvement. For example, too many boards still lack visibility or understanding of the problems, while internal audit functions can lack the specialist skills to challenge boards and management to plug urgent gaps.”

The new strategy builds on APRA’s previous strategic initiatives including the delivery of its information security prudential standard and prudential guidance, and establishing a notification and response process for material cyber incidents.

“The Strategy has been informed by extensive consultation with the Department of Home Affairs, as well as Treasury, ASIC and the Reserve Bank of Australia, and is designed to complement Australia’s Cyber Security Strategy 2020,” explained Summerhayes. “Our mission is to make a step change in Australia’s financial system cyber resilience. Our vision is for a financial system that can stand firm against cyber-attacks.”

The Strategy comprises three primary focus areas. First is to establish a baseline of cyber controls by reinforcing the embedding of non-negotiable cyber practices. The second priority is to enable boards and executives of financial institutions to oversee and direct correction of cyber exposures. The final branch of APRA’s new strategy is to rectify weak links within the broader financial eco-system and supply chain by fostering the maturation of provider cyber-assessment and assurance, and harmonising the regulation and supervision of cyber across the financial system.

“As the threat posed by domestic and international cyber adversaries grows, along with the potential impact of a successful attack, we must remain on guard and continue to build our defences,” concluded Summerhayes. “In an environment where an attack on one of us could be an attack on any of us, we are all – governments, regulators, organisations and individuals – links in a chain – and we are in this battle together. By sharing information and expertise, pooling resources and taking prompt action to plug gaps and fix weak links, we create a community of cyber defenders that is greater than the sum of its parts. In doing so, we help to keep the chain as strong as possible, and lock out those who would do us harm.”



Related posts

Scroll to Top