Gaps in cyber security exposed by APRA

The Australian Prudential and Regulation Authority (APRA) has released its findings from the first round of audits made in order to assess compliance with prudential standard CPS 234 Information Security (CPS 234).

According to APRA, more than 300 banks, insurers, and superannuation trustees will have participated in the cyber assessment.

“The purpose of the standard is to ensure that regulated entities have baseline prevention, detection and response capability to withstand cyber security threats,” APRA stated.

Just under a quarter (24 per cent) of APRA’s regulated entities were assessed during the first tranche of CPS 234 assessments, with the most common control gaps identified being:

• Incomplete identification and classification of critical and sensitive information assets
• Limited assessment of third-party information security capability
• Inadequate definition and execution of control-testing programs
• Incident response plans not regularly reviewed or tested
• Limited internal audit review of information security controls
• Inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner

APRA confirmed that it would intensify its supervisory oversight where gaps are identified and breach reporting is undertaken.

“APRA will continue to work with those entities that do not sufficiently meet CPS234 requirements, and will further engage with the industry to lift the benchmark for cyber resilience across the Australian financial services industry,” APRA noted.

According to the regulator, entities are currently in the process of the second and third tranches of APRA’s assessment, with the fourth and final tranche expected to be rolled out later this year.

APRA recently acted against Medibank after a major cyber incident that occurred in October 2022. It announced it will force Medibank to hold an additional $250 million in capital from July as punishment for the cyber breach.

Medical details belonging to nearly 10 million Australians were stolen in the breach, with some being posted online after Medibank’s refusal to pay a ransom.

Succeeding this incident, Latitude Financial Group also had its systems breached that resulted in almost 7.9 million driver’s licence numbers and 53,000 passport numbers being stolen from its customers.

Last month (June 2023), the Commonwealth Bank of Australia (CBA) introduced new measures to protect customers from scams involving cryptocurrency exchanges, while National Australia Bank (NAB) warned small and medium-sized enterprise (SME) customers against cyber crimes during tax season.

[RELATED: APRA slams Medibank with $250m punishment for cyber breach]