APRA finds 'concerning' cyber resilience gaps

John Kavanagh

The Australian Prudential Regulation Authority has released the initial findings of an assessment of cyber resilience in financial services, reporting a number of “gaps” that need to be filled.
 
APRA said problems included: incomplete identification and classification of critical and sensitive information assets; limited assessment of third-party information security capability; and inadequate definition and execution of control testing programs.
 
Other shortcomings included limited internal audit of security controls, inconsistent reporting of incidents and a failure to review or test incident response plans.
 
APRA described these gaps as “concerning” and said it had intensified its supervisory oversight.
 
These initial findings are based on assessments of around 24 per cent of the entities APRA regulates, benchmarked against compliance with prudential standard CPS 234 Information Security. 
 
It said that by the end of the year it will have assessed more than 300 banks, insurers and superannuation trustees. Each entity must appoint an independent auditor to assess compliance with the standard.
 
Information assets include hardware, software and data. APRA said information asset classification policies and methodologies are not fully established and do not define the criteria of what assets are critical or sensitive.
 
Information in asset registers is not reviewed and updated regularly and information assets managed by third parties are not fully identified and classified.
 
Information security control assessment plans for third parties have limited scope or, in some cases, do not exist. Control design is often based on the third party’s self-assessment.
 
When it comes to incident management, APRA found that plans are not reviewed or tested regularly and, in some cases, not in place at all. Incident management policies typically do not define the roles and responsibilities of third parties.
 
APRA must be notified of material incidents and control weaknesses in cyber systems. The regulator said it is concerned that notification requirements are not included in some entities’ policies and that contracts with critical third parties do not contain notification requirements.
 
It said criteria to identify material and reportable incidents and control weaknesses are not clearly defined, and processes to ensure timely reporting are often not established.