APRA Executive Board Member, Geoff Summerhayes has recently delivered a speech on APRA’s view of Cyber Security maturity within the Australian Financial Services Industry, including the release of a 4 year Cyber Security Strategy. This is a compelling read for all executives and Board members, especially those having direct BEAR accountability related to impacts and risks related for cyber health.
To date, there has not been a material cyber breach in any in any APRA-regulated banks, insurers or super funds. However, APRA sees there is still room for improvement as they are “still seeing too many basic cyber hygiene issues across the industry”.
The APRA Cyber Security Strategy 2020 – 2024 aims to raise standards and introduce heightened accountability. The intention, as per APRA’s “constructively tough” enforcement philosophy, is to expedite positive change to protect institutions and the customers that rely on them as part of the broader financial system.
Key elements of the APRA Cyber Security Strategy include:
1. Board Oversight, Action and Accountability
APRA has made it clear that, in general, they do not see Boards exercising their obligations regarding cyber risk. This is due to a combination of not being properly informed and capability in understanding what actions to undertake. APRA is now moving to an evidence-based approach for Board cyber risk oversight. “In light of evidence that Boards frequently don’t understand or are not adequately informed about cyber risks, we’re no longer prepared to simply take their words for it – we want compliance independently verified” said Mr Summerhayes. APRA will achieve this by formulating sound practice guidance and stepping up APRA’s scrutiny of cyber oversight practices.
The obligations here are clear. “Where gaps are sufficiently material, we will consider forcing entities to issue a breach notice and create a rectification plan. If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action” said Mr Summerhayes.
2. Targeted Compliance to Prudential Standard CPS 234
APRA released the information security standard in July, 2019. With compliance expected by the start of 2021, around 100 entities have indicated shortcomings and requested extensions to compliance. APRA is seeing basic cyber hygiene issues and experienced key weakness especially in establishing a baseline of cyber controls, testing capability and incident response.
APRA will now take a targeted approach towards ensuring CPS 234 is fully complied with. Specifically, APRA is calling on Boards to undertake a CPS 234 compliance review through an external audit partner. They will be asked to report back to the Board and APRA themselves.
3. Downstream Provider Risk
There is clear acknowledgement from APRA on the complexity of the value chain provider ecosystem within the industry. Along with the ~680 entities that APRA supervises, they estimate a further 17,000 entities are interconnected to the industry. This creates a very broad risk radius of cyber threats that have the potential to materially impact the financial system.
APRA aims to rectify weak links within the broader financial services eco-system by fostering the maturation of provider cyber-assessment and assurance as well as harmonising the regulation and supervision of cyber across the financial system. The APRA Cyber Security Strategy will introduce a broader set of tools and techniques for downstream and ecosystem risks.
4. Enhanced Role of Internal Audit
APRA has observed the role and capability of internal audit functions in many entities, lack sufficient cyber skillsets, are under-resourced with methodologies being under-developed. This includes audit committees failing to act on recommendations, a lack of understanding about cyber risks and exposures and insufficient investigations aligned to cyber risk exposures.
APRA’s experience is that the consequence of this is that many boards are not properly informed about the true state of their entity’s cyber security position or risks. This also is leading to a failure of understanding of why urgent action is required.
APRA’s cyber strategy will include enhanced cyber guidance for board members, internal auditors and risk management professionals.
APRA will be enforcing cyber related performance, oversight and compliance, in a constructively tough manner. The impact of cyber risk on the Australian financial services industry is increasingly of concern to APRA will now take a proactive approach.
Capital Consult has assisted many FSIs through APRA readiness and compliance in the technology, outsource and risk domains. As such we are well placed to provide advice and methods to implement our 6-step action plan towards APRA ready cyber maturity and regulatory compliance.
- Design and implement a board education program including organisation cyber maturity, performance and health metrics. Ensure a clear understanding of board obligations aligned to risk appetite, BEAR accountabilities and APRA prudential obligations e.g. CPS 234.
- Implement a dedicated program of work towards all aspects of CPS 234 compliance and operating maturity. This includes provider performance and risk. Ensure this has a line of sight to the board.
- Commission a 3rd line assurance/audit review of CPS 234 compliance reporting to the board. This should be done via a combined internal and external audit partnership.
- Assess the internal audit function capability and maturity specific to cyber risk as part of the CPS 234 audit. Review the annual audit plan for regular cyber reviews.
- Implement an asset register of key providers categorised and prioritised by business value and performance, sensitivity, criticality and cyber. Assess and classify for business risk against the policy environment.
- Design and implement a provider assurance framework and plan aligned to the contractual, governance and policy framework to ensure ongoing assessment and reporting of risk including cyber.
About the Author: Mark Zanon is the Managing Director of Capital Consult who have been providing specialist advice and services, assisting organisations dealing with APRA since 2008. We assist organisations to interpret and achieve compliance with the APRA prudential standards, guidelines and supervisory framework.
