Read the full story
The Australian Prudential Regulatory Authority (APRA) is launching a new effort to consolidate and strengthen the financial sector’s cyber resilience.
Whilst Australia’s financial sector has a strong track-record when it comes to securing critical systems and data, APRA believes that the institutions it regulates, including banks, insurers and superannuation funds, as well as third-party suppliers, can do more to embed this resilience.
The introduction of APRA’s cyber security standard, CPS 234, has significantly contributed to the sector’s strong approach to cyber risk management. However, the regulator believes some boards may still lack visibility or sufficient understanding of cyber risk. Furthermore, some organisations’ internal teams may lack the necessary specialist skills.
To address these concerns, APRA has unveiled its Cyber Security Strategy for 2020 to 2024. APRA will begin taking a more formal approach to ensuring the requirements of CPS 234 are being fully implemented. The regulator may hold boards accountable in cases where an organisation is not implementing CPS 234. Part of this new approach will include APRA requesting independent cyber security reviews across all its regulated industries. From next year, boards will be required to use an external auditor to review CPS 234 compliance and report back to both APRA and the board.
If boards are unwilling or unable to make the required cyber security enhancements in a timely manner, the regulator will consider using formal enforcement action.
Importantly, the new strategy takes a broader approach by recognising the critical role third-party suppliers and providers play in the industry’s integrity. The financial system’s cyber resilience is only as strong as “the weakest link in the chain,” according to APRA Executive Board Member, Geoff Summerhayes.
For comprehensive CPS 234 consulting services that help ensure your financial organisation is fully compliant, contact CyberCX. Our team of CPS 234 specialists will guide you through all the requirements so you can demonstrate alignment with this important cyber security standard.