Skip to main content

Article

What your organisation can learn about risk readiness from the early results of APRA’s cybersecurity stocktake

Initial results of APRA’s assessment of cybersecurity capabilities highlights weaknesses for Australian banks, insurers and superannuation trustees.

Team rowing into the sunset

The baseline cybersecurity capabilities of more than 300 banks, insurers and superannuation trustees across Australia are this year undergoing assessment by the Australian Prudential Regulation Authority (APRA), and the first round of results make for concerning reading.

The survey, which assesses compliance with APRA Prudential Regulation CPS 234 and also covers information assets managed by third-party vendors, is directed at regulated financial institutions.

But its findings are relevant for the wider corporate community beyond the finance sector, who would do well to take note of what it indicates about businesses’ overall state of cyber risk management and resilience.

At the time of writing, APRA had released the results of its initial round of tripartite cyber assessments for just under a quarter (24%) of the targeted financial institutions. They suggest such organisations are falling below expected levels of cyber resilience and cyber risk management maturity – even amid the sense of urgency following recent major data breaches and the increasing sophistication of cyberattacks overall.

The six cyber-readiness weaknesses revealed in the results

APRA highlights six key areas where there are significant gaps between expected controls and organisations’ current capabilities on cybersecurity. These are:

  1. Incomplete identification and classification for critical and sensitive information assets
  2. Limited assessment of third-party information security capability
  3. Inadequate definition and execution of control testing programs
  4. Incident response plans not being regularly reviewed or tested
  5. Limited internal audit and review of information security controls
  6. Inconsistent reporting of material incidents or control weaknesses to APRA in a timely manner

Prudential standard CPS 234: A recap

The purpose of CPS 234 is to ensure that regulated entities have baseline prevention, detection and response capabilities to withstand cyber security threats. CPS 234 aims to ensure that regulated entities take reasonable steps to be resilient against information security incidents, including cyberattacks, by maintaining an information security capability commensurate with information security vulnerabilities and threats.

CPS 234 is a clear and concise set of regulations and informs best practice information security standards for regulated financial institutions. It is also a good reference point for steps to take in the minimisation of information security incidents on the confidentiality, integrity and availability (CIA) of information assets, including those managed by third parties.

The assessments against CPS 234 are carried out for APRA by an independent third-party cyber expert.

A relevant lesson for all types of Australian organisations

The relevance of CPS 234 and the assessment findings extend beyond financial institutions and are a good reference point which is applicable to organisations of all sizes and types, irrespective of industry.

The findings, read in conjunction with the ASD Essential 8 and other regulatory regimes relating to cyber security and cyber resilience, create an effective guideline as to how organisations should be investing in their organisational cybersecurity.

Testing and preparation among the challenges for business

The APRA findings reveal that key cybersecurity challenges for businesses continue to include:

  • Supply chain management
  • Effective incident response preparation
  • Effective and regular testing and assessment of controls
  • Internal auditing of security controls
  • Robust identification and classification of key information assets

Rapid detection and response continues to be important. Even with strong defences in place, rapid detection followed by effective and timely response can have a huge impact on an organisation’s business interruption, brand damage, financial and operational loss in the event of an incident.

The APRA findings complement key insights within Marsh McLennan’s market-first research published earlier in 2023, which highlight the direct link between key cybersecurity controls and reduced cyber risk. It will be interesting to follow the trends of these results as the outcome of more tri-partite assessments are revealed.

Marsh cyber consulting can assist organisations of all sizes with their third party vendor risk management reviews, compliance assessments and incident response planning, reviewing and testing. We can also assist in providing risk intelligence by the identification of key risks and the quantification of the potential financial loss should those risk eventuate. Contact us for more information.

Our people

Placeholder Image

Gill Collins

Head of Cyber Incident Management and Cyber Consulting, Pacific

Steve Thompson

Steve Thompson

Senior Manager, Cyber Solutions, Marsh Advisory

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. LCPA 23/303