APRA has published an Information Paper on the results of its survey of cybersecurity risk management.

Respondents to the survey included 37 regulated entities and four significant service providers, covering all APRA-regulated industries with the exception of private health insurance.

Just over half of all survey respondents – 20 regulated entities and one service provider – experienced at least one cyber security incident in the 12 months leading up to the survey between October 2015 and March 2016 that was sufficiently material to warrant executive management involvement.

Incidents reported by survey respondents included:

• potentially high impact incidents such as advanced persistent threats (APTs), distributed denial of service (DDoS) attacks and compromises of highly privileged access were experienced by 21 per cent of respondents;
• ransomware attacks by 14 per cent of respondents;
• potentially reputation damaging incidents such as website defacement and social media account misuse were experienced by approximately 1 in 8 entities (12 per cent of respondents); and
• other incidents with low impact such as compromise of client accounts, internet banking fraud, phishing and malware attacks were experienced by almost 1 in 4 respondents (24 per cent).

APRA says that the survey results (in conjunction with other supervisory information) confirm that all APRA-regulated entities, and not only the largest of these entities, need to operate on the assumption that cyber attacks will occur, and that such attacks will remain a constant challenge.

APRA concluded that regulated entities need to continue to enhance their prevention, detection and response capabilities, test their preparedness and work collaboratively with peers, researchers and government to improve their level of cyber resilience. cyber security risk management requires on-going vigilance, improvement, investment and oversight.

Furthermore, it would be prudent for entities to operate on the assumption that cyber attacks will become both more frequent and more sophisticated over time.

APRA recommends the following risk management practices:

• Governance: Ensure boards and executive management are well informed regarding cyber security risks and their organisation’s preparedness to prevent, detect and respond.
• Preparedness: Regularly test response plans for common cyber security incident types, including verified recovery capability for plausible worst-case scenarios.
• Scope: Cover the extended enterprise, including service providers, joint ventures and offshore locations when scoping cyber security risk management activities.
• Strategy and funding: Maintain a rolling strategy to address the evolving forms of cyber security risk, supported by ongoing investment.
• Capabilities and resourcing: Maintain sufficient access to specialist cyber security resources (either internally and/or via establishing partnerships).
• Situational awareness: Establish threat intelligence and other information sources on the latest attack vectors and countermeasures which are used to inform security practices, including monitoring and subsequent response.
• Incident response: Adopt an ‘assumed breach’ mentality and invest in capability to detect and respond to cyber security incidents in a timely manner.
• Assurance: Maintain ongoing assurance over effectiveness of prevention, detection and response capabilities.
• Collaboration: Share threat and response information with Government, industry and customers to improve prevention, detection and response capabilities.

APRA has previously published Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology and Prudential Practice Guide CPG 235 Managing Data Risk.

Cybercrime is also a concern for Austrac and the Privacy Commissioner.