Skip to main content


What your organisation can learn about risk readiness from the early results of APRA’s cybersecurity stocktake

Initial results of APRA’s assessment of cybersecurity capabilities highlights weaknesses for Australian banks, insurers and superannuation trustees.

Team rowing into the sunset

The baseline cybersecurity capabilities of more than 300 banks, insurers and superannuation trustees across Australia are this year undergoing assessment by the Australian Prudential Regulation Authority (APRA), and the first round of results make for concerning reading.

The survey, which assesses compliance with APRA Prudential Regulation CPS 234 and also covers information assets managed by third-party vendors, is directed at regulated financial institutions.

But its findings are relevant for the wider corporate community beyond the finance sector, who would do well to take note of what it indicates about businesses’ overall state of cyber risk management and resilience.

At the time of writing, APRA had released the results of its initial round of tripartite cyber assessments for just under a quarter (24%) of the targeted financial institutions. They suggest such organisations are falling below expected levels of cyber resilience and cyber risk management maturity – even amid the sense of urgency following recent major data breaches and the increasing sophistication of cyberattacks overall.

The six cyber-readiness weaknesses revealed in the results

APRA highlights six key areas where there are significant gaps between expected controls and organisations’ current capabilities on cybersecurity. These are:

  1. Incomplete identification and classification for critical and sensitive information assets
  2. Limited assessment of third-party information security capability
  3. Inadequate definition and execution of control testing programs
  4. Incident response plans not being regularly reviewed or tested
  5. Limited internal audit and review of information security controls
  6. Inconsistent reporting of material incidents or control weaknesses to APRA in a timely manner

Prudential standard CPS 234: A recap

The purpose of CPS 234 is to ensure that regulated entities have baseline prevention, detection and response capabilities to withstand cyber security threats. CPS 234 aims to ensure that regulated entities take reasonable steps to be resilient against information security incidents, including cyberattacks, by maintaining an information security capability commensurate with information security vulnerabilities and threats.

CPS 234 is a clear and concise set of regulations and informs best practice information security standards for regulated financial institutions. It is also a good reference point for steps to take in the minimisation of information security incidents on the confidentiality, integrity and availability (CIA) of information assets, including those managed by third parties.

The assessments against CPS 234 are carried out for APRA by an independent third-party cyber expert.

A relevant lesson for all types of Australian organisations

The relevance of CPS 234 and the assessment findings extend beyond financial institutions and are a good reference point which is applicable to organisations of all sizes and types, irrespective of industry.

The findings, read in conjunction with the ASD Essential 8 and other regulatory regimes relating to cyber security and cyber resilience, create an effective guideline as to how organisations should be investing in their organisational cybersecurity.

Testing and preparation among the challenges for business

The APRA findings reveal that key cybersecurity challenges for businesses continue to include:

  • Supply chain management
  • Effective incident response preparation
  • Effective and regular testing and assessment of controls
  • Internal auditing of security controls
  • Robust identification and classification of key information assets

Rapid detection and response continues to be important. Even with strong defences in place, rapid detection followed by effective and timely response can have a huge impact on an organisation’s business interruption, brand damage, financial and operational loss in the event of an incident.

The APRA findings complement key insights within Marsh McLennan’s market-first research published earlier in 2023, which highlight the direct link between key cybersecurity controls and reduced cyber risk. It will be interesting to follow the trends of these results as the outcome of more tri-partite assessments are revealed.

Marsh cyber consulting can assist organisations of all sizes with their third party vendor risk management reviews, compliance assessments and incident response planning, reviewing and testing. We can also assist in providing risk intelligence by the identification of key risks and the quantification of the potential financial loss should those risk eventuate. Contact us for more information.

Our people

Placeholder Image

Gill Collins

Head of Cyber Incident Management and Cyber Consulting, Pacific

Steve Thompson

Steve Thompson

Senior Manager, Cyber Solutions, Marsh Advisory

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. LCPA 23/303

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”