APRA declares cyber-security gaps tolerance ‘never lower’

The Australian Prudential Regulation Authority (APRA) has declared that its tolerance for gaps or weaknesses with respect to cyber security within major financial institutions has never been lower.

In doing so, the regulator has flagged that it will be carrying out a series of prudential reviews into entities’ compliance with new, tougher cyber security requirements, starting with significant financial institutions.

APRA chair, John Lonsdale has used an address to the Australian Banking Association (ABA) to point to the recent attacks on major superannuation funds to warn banks that they cannot “afford to be complacent or assume they don’t have similar vulnerabilities”.

In doing so, he pointed to the use of third-party providers and the potential for vulnerabilities.

“On cyber risk, one of the most pressing issues is weaknesses in authentication controls, an issue that was highlighted by the credential stuffing attacks on several superannuation funds that emerged in April,” he said. “This issue prompted a heightened focus by APRA on how trustees are managing cyber security, however banks can’t afford to be complacent or assume they don’t have similar vulnerabilities.”

“APRA’s prudential standard on information security, CPS 234, requires entities to have controls commensurate with the threat environment, and this is something all entities must continue to review as the cyber threat environment worsens.”

“On operational risk more broadly, the increasing reliance on third party service providers continues to be a growing vulnerability that entities must manage. Events such as the Crowdstrike outage last year and the more recent targeting of Qantas customer data through a third-party servicing platform show how third-party weaknesses can lead to significant operational risks,” Lonsdale said.

The APRA chairman noted that back in 2019 the regulator had warned that a significant cyber incident impacting banks, insures or super funds was a matter of ‘when’, not ‘if’.

“With the recent hacking of multiple major superannuation funds, that has indeed come to pass. To date the impact on customers has been relatively limited at an entity and system-level but, amid the ‘perfect storm’ of factors I referred to earlier, entities must continue to be vigilant,” he said,.

“With so much at stake, our tolerance for gaps or weaknesses in how these risks are being managed has never been lower.

“With CPS 230 now in effect, we will be carrying out a series of prudential reviews into how entities are complying with the new standard, starting with significant financial institutions before extending reviews to non-SFIs.

“On cyber, we see a need for continued focus on baseline resilience across all APRA-regulated industries and will be conducting further reviews to understand how entities are meeting the requirements of CPS 234.”