Share this article on:
Cyber resilience is a key plank of new supervision from the Australian financial services regulator.
The Australian Prudential Regulation Authority (APRA) has released an Interim Policy and Supervision Priorities letter addressed to all APRA-regulated entities.
“This letter provides an interim update on APRA’s supervision and policy priorities for the first six months of the year, to bridge to the 2024–25 Corporate Plan,” APRA said in its letter, “which is due by the end of August”.
While addressing climate risk and lifting cultural and governance standards are key parts of the supervision, cyber resilience takes the top spot as a priority to address within the next six months.
The aim is simple: all APRA-regulated entities “must ensure they take steps to be resilient against the growing threat of cyber attacks”. While there as yet no hard policies to address this objective, APRA intends to continue to focus on cyber resilience in a supervisory capacity to ensure that all relevant bodies measure up to “the standards expected of them under Prudential Standard CPS 234 Information Security”.
CPS 234 was introduced in 2019 and requires financial entities to have clearly defined information security roles and responsibilities at the board level and to operate security capabilities “commensurate with the size and extent of threats to its information assets”.
The standard also requires financial institutions to notify APRA of any material events.
APRA will require all remaining CPS 234 assessments to be submitted within the next six months.
“Where entities are found to have significant vulnerabilities, APRA will take a proportionate response and may intensify supervision, require root cause analysis, request remediation plans, and consider enforcement action,” APRA said.
The letter also addresses the broader issues of operational resilience. Prudential Standard CPS 230 – which will come into full effect in 2025 – will require all entities to “understand and manage their operational risks and be able to maintain their critical operations for beneficiaries and customers through business disruptions”.
This also covers cyber resilience since any significant cyber event – such as ransomware or distributed denial-of-service (DDoS) attack – may impact operational performance.
APRA will release a prudential practice guide within the next six months to help institutions meet the new requirements. There will also be a series of APRA-hosted roundtables where entities can learn more about what is expected of them.
“Entities should expect further engagement on operational resilience through 2024 to assist readiness,” APRA said.