APRA has published early findings from an APRA study on cyber resilience in financial services.

The study involves more than 300 banks, insurers and superannuation trustees who will participate in an independent tripartite cyber assessment which required APRA’s regulated entities to appoint an independent auditor to assess their compliance with prudential standard CPS 234 Information Security (CPS 234).

When gaps are identified and breach reporting is undertaken, APRA intensifies its supervisory oversight.

The first round of findings results from an assessment of around a quarter of APRA’s regulated entities in the first tranche of CPS 234 assessments.

The most common control gaps identified in this tranche were:

• incomplete identification and classification for critical and sensitive information assets;
• limited assessment of third-party information security capability;
• inadequate definition and execution of control testing programs;
• incident response plans not regularly reviewed or tested;
• limited internal audit review of information security controls; and
• inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.

Entities are currently participating in the second and third tranches of APRA’s assessment, and the fourth and final tranche is expected to be rolled out later in 2023.

These gaps were discussed at the recent Superannuation CEO Roundtable at which APRA and ASIC shared the following insights:

• To reduce the risk of significant compromise, trustees should have strong data and IT systems governance measures that include the decommissioning of legacy systems and adequate service provider oversight.
• Preparedness for an incident occurring is also critical. Response plans should be tested and address, at a minimum, governance and decision-making, business continuity and contingency planning, and communication strategies.
• Simulations of cyber threats and trustee responses can be very effective in ensuring that trustees are well-prepared and response plans are fit for purpose. Clear delineation between board and management responsibilities is important to establish in advance of any real threat scenario.
• Cyber incidents can have direct negative consequences for members. Trustees must make decisions which are in the best interests of their members and this includes providing members with timely and accurate communications and ensuring adequate resourcing for appropriate member support.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.