Enforcement in APRA’s sights as it steps up focus on cyber security failures

  • By Christine St Anne

The prudential regulator will push the sector to provide independent reviews on how they are complying with cyber risks as it steps up its oversight of cyber security across the broader industry including payment providers and software vendors. 

“We are going to take a much more targeted approach to ensuring CPS 234 – APRA’s compliance standard on cybersecurity - is being fully complied with, and holding boards and management accountable where it is not,” APRA executive member Geoff Summerhayes said in a speech on Thursday. 

“Starting next year, APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board,” he added.

The comments were part of the prudential regulators new cyber security over the next five years which “seeks to extend APRA’s reach beyond its regulated entities to influence the broader cyber eco-system”. 

If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action

“This is perhaps the most challenging part of the strategy because it involves extending our influence beyond banks, insurers and superannuation licensees to cover a wide range of services, ranging from fund managers and payment platforms to software vendors,” he said. 

In terms of initiating independent board reviews, according to Summerhayes 100 organisations “confessed to shortcomings” when APRA conducted its audit of CP2 234 compliance at the end of last year. 

And while other organisations told APRA they were compliant when the prudential regulator’s IT risks specialist teams conducted their own review, they “discovered significant weaknesses in every instance, in areas such as testing programs, control environments and incident response capabilities”. 

“At one level, this exercise is about identifying compliance issues and ensuring they are rectified in the shortest period of time to protect companies and the wider system,” Summerhayes said.

“At another level, it’s sending a message about the seriousness of this issue, and the need for greater accountability for meeting what are now legal obligations,” he added.

In fact, based on the evidence that boards don’t seem to understand cyber risks, Summerhayes said that the regular is “no longer prepared to simply take their words for it – we want compliance independently verified, and we will be applying serious pressure when it’s not forthcoming”. 

Where gaps are “sufficiently material”, APRA will force organisations “to issue a breach notice and create a rectification plan”. 

At the heart of the new strategy is recognition that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers

“If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action,” he warned.

“The intention, as per our “constructively tough” enforcement philosophy, it is to expedite positive change to protect institutions, the customers that rely on them and the broader financial system.” 

In his speech, Summerhayes spoke about the impact of cyber breaches and how they can have a “cascading impact on the whole system” 

“At the heart of the new strategy is recognition that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers,” Summerhayes said.

“APRA only directly supervises around 680 of these, yet we know that a cyber breach in any part of the system – such as an insurance broker, a credit ratings agency, an IT service provider or ATM repair service – can have a cascading impact on the whole system.”

Summerhayes acknowledged that the rapid move to online and remote working arrangements, driven by the health pandemic led to an increase in cyber risks. 

“In prioritising their ability to keep operating, many of the entities we regulate needed to make compromises to their normal information security protocols to facilitate the sudden switch to remote work arrangements for most or all employees,” he said. 

However, for the regulator, very view of those organisations have “gone back to firmly close the gates they left ajar in March”. 

Summerhayes who will sadly leave the regulator in December said it was important that the industry worked together to tackle the every changing cyber security risks. 

“In an environment where an attack on one of us could be an attack on any of us, our financial system is only as resilient to cyber-attacks as the weakest link in the chain. 

“By working together, we can actually capitalise on our increased connectivity to strengthen the chain, and protect ourselves by protecting each other.”