Financial institutions have cyber resilience gaps to fill, says APRA

An assessment of the cyber resilience of Australia’s finance sector has revealed that banks and other financial institutions have much more to do to secure themselves against cyber attacks.

The investigation, conducted by the Australian Prudential Regulation Authority (APRA), will evaluate the cyber resilience of 300 of Australia’s cyber institutions by 2023. Currently, 24 per cent of these have been assessed by APRA.

“Some of the world’s largest brands have fallen victim to major data breaches in recent years,” said APRA.

“Rates of cyber crime have increased, and criminal attacks have become more sophisticated.

============

“Australia has not been immune; recent, well-publicised cyber attacks are among the largest in the country’s corporate history.”

Classed as “the largest study of its kind to be conducted by APRA”, the assessment tests entities’ compliance with the CPS 234 Information Security Standard.

“The purpose of the standard is to ensure that regulated entities have baseline prevention, detection and response capability to withstand cyber security threats.”

So far, the investigation has discovered a number of gaps in the security practices of these financial organisations, at a time when cyber attacks and losses are at a peak in Australia.

The APRA findings declared the following as key gaps:

VIEW ALL

“Incomplete identification and classification for critical and sensitive information assets;
“Limited assessment of third-party information security capability;
“Inadequate definition and execution of control testing programs;
“Incident response plans not regularly reviewed or tested;
“Limited internal audit review of information security controls; and
“Inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.”

As has been demonstrated by the latest wave of cyber attacks, the second gap has proven detrimental to the security of financial institutions.

Supply chain attacks on third-party providers led to the major cyber attack on Latitude Financial, which led to the data of 7.9 million people being stolen.

More recently, the big four banks — ANZ, Commonwealth Bank, National Australia Bank (NAB), and Westpac — all named themselves as victims of the HWL Ebsworth hack.

APRA said that the issue is common and a growing concern as “more and more entities are relying on service providers to manage critical systems”.

The findings come from just the first portion of APRA’s investigation, which the watchdog said will be completed by the end of the year.

“APRA encourages every entity to review those common weaknesses outlined [in the report], along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies,” it said.

For the full report, head to the APRA website.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it

newsletter

Be the first to hear the latest developments in the cyber industry.

Financial institutions have cyber resilience gaps to fill, says APRA

Daniel Croft

Introducing Cyber Daily, the new name for Cyber Security Connect

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED