APRA has unveiled a new cyber security strategy and flagged it will step up its review of current cyber compliance, holding boards accountable for shortfalls.

The prudential regulator’s cyber security strategy for 2020 to 2024 seeks to lift cyber security standards and introduce heightened accountability where companies fail to meet their legally binding requirements.

In a speech to the Financial Services Assurance Forum yesterday, Geoff Summerhayes, executive board member of APRA said the new strategy seeks to safeguard an increasingly connected network of financial entities, increase board oversight and improve basic cyber hygiene practices.

Summerhayes said APRA wants to “eradicate unnecessary or careless cyber exposures” by establishing a baseline of cyber controls. It is starting with sharpening its enforcement CPS 234 compliance.

CPS 234 was introduced last year to shore up the sector’s cyber resilience and requires banks, insurers and superannuation funds to maintain security capabilities, conduct regular tests and notify the regulator if incidents occur.

Boards will be required to engage an external audit firm to review CPS 234 compliance next year after the regulator identified many entities are failing to adequately comply with the rules.

While APRA previously made concessions to reduce the regulatory burden so the industry could focus on its pandemic response, Summerhayes said “this is one area where APRA can no longer hold off tightening the regulatory screws”.

“It’s close to 18 months since CPS 234 came into effect, and we are still seeing too many basic cyber hygiene issues across the industry,” Summerhayes said.

“We are also going to take a much more targeted approach to ensuring CPS 234 is being fully complied with, and holding boards and management accountable where it is not.”

Summerhayes also called for more cybersecurity skills across boards and internal audit functions.

“Too many boards still lack visibility or understanding of the problems, while internal audit functions can lack the specialist skills to challenge boards and management to plug urgent gaps,” he said.

“Cyber risk is hardly a new threat, yet many boards across our regulated population are still not properly equipped to oversee cyber matters and direct corrective action where necessary.”

The strategy will formulate enhanced cyber guidance for board members, internal auditors, and risk management professionals.

A complex network 

The new strategy also aims to extend APRA’s reach beyond the 680 entities it regulates to a wider ecosystem of 17,000 interconnected financial entities, markets, and infrastructure that provide products and services to consumers.

“We know that a cyber breach in any part of the system – such as an insurance broker, a credit ratings agency, an IT service provider or ATM repair service – can have a cascading impact on the whole system.”

APRA will develop stronger third-party provider assessment and assurance practices for use by APRA-regulated entities, raising the level of maturity in the supplier procurement and oversight practices.

Despite the heightened cyber risks, Summerhayes said there is “no obvious sign” of an increase in cyber adversaries targeting banks, insurers or super funds throughout COVID-19 remote work.

“This is not cause for complacency, given it can take months or years for some cyber attacks to be detected, while we are acutely aware that our major financial institutions ward off attempted cyber-attacks on a daily basis,” he said.

Summerhayes noted the cyber risks continue to accelerate and APRA’s mission is to “make a step change in Australia’s financial system cyber resilience”.