The Australian Prudential Regulation Authority has challenged banks and other financial institutions to stop thinking about information security and cyber risk as technology issues and elevate them to the level of “overall business risks”. The regulator has called on regulated entities to “build a new mindset” to overcome compliance failings in meeting the current information security standard and prepare to meet the requirements of a new operational risk management standard. In July, APRA released the findings of an assessment of compliance with prudential standard CPS 234 Information Security, which has been in force since 2019. It found that “control gaps” were common, including incomplete identification and classification of critical and sensitive information assets; limited assessment of third-party information security capability; and inadequate definition and execution of control testing programs. Other shortcomings include limited internal audit of security controls, inconsistent reporting of incidents and a failure to review or test incident response plans. The regulator said these gaps were “concerning” and that it had intensified its supervisory oversight. In a speech last week, APRA member Therese McCarthy Hockey set out to explain why, in APRA’s view, banks and other financial institutions are struggling to meet the standard’s requirements. McCarthy Hockey said: “There is a range of answers: the evolving nature of cyber threats means organisations are constantly firing at moving targets; increasing reliance on multiple services providers creates complex webs of interconnectivity, which makes oversight harder; and we know that many of our entities have laboured to migrate legacy systems to new, more secure platforms. “APRA has also observed a long period of insufficient investment in both cyber security technology and personnel with the necessary skills and experience, especially among smaller organisations that lack the deep pockets of the industry giants. “But if we were to identify a root cause it would be that information security has too often been seen by boards as a technology risk and not an overall business risk. Rather than leaving cyber resilience to the IT and cyber security departments, boards need to become much more tech savvy and alert to how the threats have changed, in particular for the data they collect and manage.” McCarthy Hockey said APRA was running out of patience with the slow pace of change. The regulator will put more pressure on banks and other financial institutions in the lead up to the introduction of a new operational risk standard in 2025. Prudential Standard CPS 230 Operational Rick Management, which was released in July, includes requirements to address identified weaknesses in existing controls and improves business continuity planning to deal with severe disruptions. The new standard also includes rules that enhance third-party risk management, so that risks from service providers are appropriately managed. For the purposes of business continuity planning, the standard defines critical operations are processes undertaken by a regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policy holders, beneficiaries or other customers, or its role in the financial system. An authorised deposit-taking institution must classify payments, deposit-taking and management, custody, settlement