The Council of Financial Regulators has released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry.

At the same time, the Australian Prudential Regulation Authority has warned that its newly released cybersecurity strategy set out in CPS 234 requires more intense focus from financial firms.

In a recent speech APRA Executive Board Member Geoff Summerhayes said that APRA’s vision is for a financial system that can stand firm against cyber-attacks and that APRA will be stepping up its scrutiny of cyber oversight practices.

To achieve that goal APRA will be holding boards and management accountable where CPS 234 is not complied with. APRA will shortly be requesting one-off tripartite independent cyber security reviews across all its regulated industries. APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board.

The strategy recognises that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers. APRA only directly supervises around 680 of these, yet a cyber breach in any part of the system – such as an insurance broker, a credit ratings agency, an IT service provider or ATM repair service – can have a cascading impact on the whole system.

He pointed to weakness in internal audit functions.

He said:

“Internal audit functions in many APRA-regulated entities lack sufficient cyber skill sets, are under-resourced, and methodologies are under-developed. As a result, APRA has observed examples of a number of behaviours:

• cyber exposures identified by internal auditors met with an audit committee that failed to act (or doesn’t know how to);
• an audit committee struggling to interpret the severity of cyber risk findings compared to findings raised in other areas of the business; or
• internal auditors that don’t conduct a sufficiently thorough investigation into the state of the cyber controls to assure they are sufficient to meet the potential cyber risk exposures.

The consequence of this is that many boards either aren’t properly informed about the true state of their entity’s cyber security, or they fail to grasp why urgent action is required.”

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.