Head of Cyber Incident Management and Cyber Consulting, Pacific
The baseline cybersecurity capabilities of more than 300 banks, insurers and superannuation trustees across Australia are this year undergoing assessment by the Australian Prudential Regulation Authority (APRA), and the first round of results make for concerning reading.
The survey, which assesses compliance with APRA Prudential Regulation CPS 234 and also covers information assets managed by third-party vendors, is directed at regulated financial institutions.
But its findings are relevant for the wider corporate community beyond the finance sector, who would do well to take note of what it indicates about businesses’ overall state of cyber risk management and resilience.
At the time of writing, APRA had released the results of its initial round of tripartite cyber assessments for just under a quarter (24%) of the targeted financial institutions. They suggest such organisations are falling below expected levels of cyber resilience and cyber risk management maturity – even amid the sense of urgency following recent major data breaches and the increasing sophistication of cyberattacks overall.
APRA highlights six key areas where there are significant gaps between expected controls and organisations’ current capabilities on cybersecurity. These are:
The purpose of CPS 234 is to ensure that regulated entities have baseline prevention, detection and response capabilities to withstand cyber security threats. CPS 234 aims to ensure that regulated entities take reasonable steps to be resilient against information security incidents, including cyberattacks, by maintaining an information security capability commensurate with information security vulnerabilities and threats.
CPS 234 is a clear and concise set of regulations and informs best practice information security standards for regulated financial institutions. It is also a good reference point for steps to take in the minimisation of information security incidents on the confidentiality, integrity and availability (CIA) of information assets, including those managed by third parties.
The assessments against CPS 234 are carried out for APRA by an independent third-party cyber expert.
The relevance of CPS 234 and the assessment findings extend beyond financial institutions and are a good reference point which is applicable to organisations of all sizes and types, irrespective of industry.
The findings, read in conjunction with the ASD Essential 8 and other regulatory regimes relating to cyber security and cyber resilience, create an effective guideline as to how organisations should be investing in their organisational cybersecurity.
The APRA findings reveal that key cybersecurity challenges for businesses continue to include:
Rapid detection and response continues to be important. Even with strong defences in place, rapid detection followed by effective and timely response can have a huge impact on an organisation’s business interruption, brand damage, financial and operational loss in the event of an incident.
The APRA findings complement key insights within Marsh McLennan’s market-first research published earlier in 2023, which highlight the direct link between key cybersecurity controls and reduced cyber risk. It will be interesting to follow the trends of these results as the outcome of more tri-partite assessments are revealed.
Marsh cyber consulting can assist organisations of all sizes with their third party vendor risk management reviews, compliance assessments and incident response planning, reviewing and testing. We can also assist in providing risk intelligence by the identification of key risks and the quantification of the potential financial loss should those risk eventuate. Contact us for more information.
This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. LCPA 23/303