The thin credentials of the Australian finance industry’s most senior people - bank boards included - stand exposed after a landmark (and devastating) speech yesterday by APRA member Geoff Summerhayes.
Summerhayes used the speech to unveil APRA’s new Cyber Security Strategy, but it’s what the industry has been doing (or, mainly, not doing) that is the crux of the analysis in his speech for the Financial Services Assurance Forum.
“Although the financial industry takes cyber risk seriously, there is room for improvement,” was about as polite as he got.
“Too many boards still lack visibility or understanding of the problems”, was one charge levelled at the sector by Summerhayes, and you can bet APRA has more than one of the larger banks and insurers in mind for this list.
And: “internal audit functions can lack the specialist skills to challenge boards and management to plug urgent gaps.”
APRA disclosed that it granted more than 100 requests for regulatory relief to entities struggling to meet the 1 January 2021 deadline to comply with the current cyber-security provisions, which at present are a compoment of Prudential Standard CPS 234 on Information Security.
APRA’s concessions “were consistent with our wider efforts to reduce the regulatory burden so industry could focus on its pandemic response,” Summerhayes said.
“But amid consistent evidence that many entities are failing to adequately comply with CPS 234, this is one area where APRA can no longer hold off tightening the regulatory screws.”
Our new Cyber Security Strategy, Summerhayes said, “builds on previous strategic initiatives including the delivery of APRA’s information security prudential standard and prudential guidance, and establishing a notification and response process for material cyber incidents.
“Our mission is to make a step change in Australia’s financial system cyber resilience," he said.
“At the heart of the new strategy is recognition that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers.”
APRA only directly supervises around 680 of these.
“Our goals here are to eradicate unnecessary or careless cyber exposures, foster a community of ‘cyber defenders’ that is greater than the sum of its individual parts, and make sure entities are ‘battle ready’ for when breaches inevitably occur," Summerhayes said.
“Our second priority is to enable boards and executives of financial institutions to oversee and direct correction of cyber exposures …. Where boards will leap into action to head off a threat to liquidity or a major credit risk, we don’t see that same sense of confidence and urgency translated to cyber security matters.
In a generalised manner, Summerhayes dragged the industry’s internal audit through the wringer.
“The internal audit function should be the eyes and ears of the board into their organisations“ he said.
“However, when it comes to cyber, the eyesight is often blurry and the hearing dull.
“Internal audit functions in many APRA-regulated entities lack sufficient cyber skill sets, are under-resourced, and methodologies are under-developed.”
As a result, Summerhayes said, APRA has observed examples of a number of behaviours:
— “cyber exposures identified by internal auditors met with an audit committee that failed to act, or doesn’t know how to”;
— “an audit committee struggling to interpret the severity of cyber risk findings compared to findings raised in other areas of the business”; and
— “internal auditors that don’t conduct a sufficiently thorough investigation into the state of the cyber controls to assure they are sufficient to meet the potential cyber risk exposures.”
The consequence of this “is that many boards either aren’t properly informed about the true state of their entity’s cyber security, or they fail to grasp why urgent action is required,” an exasperated Summerhayes said.
An avalanche of consultation, encouragement for industry cooperation and maybe regulatory harmonisation is promised as part of APRA s’ new cyber strategy.
Inevitably, APRA will collect more data in new areas, “to better understand the cyber threat, and share that knowledge to enable industry self-assessment and benchmarking,” Summerhayes said.
“We are looking at partnering with academia to research issues such as measuring and benchmarking cyber resilience, and exploring more formal threat intelligence sharing among domestic and international regulators to better inform our activities,” so APRA will be a funder.
“We are also going to take a much more targeted approach to ensuring CPS 234 is being fully complied with, and holding boards and management accountable where it is not,“ Summerhayes said.
APRA will shortly be requesting one-off tripartite independent cyber security reviews across all its regulated industries.
Starting next year, APRA will be asking boards to engage an external audit firm to conduct a review of their CPS 234 compliance and report back to both APRA and the board.
“We haven’t made a final determination on which entities this will apply to,” Summerhayes said, “but all entities should prepare accordingly.”
“In light of evidence that boards frequently don’t understand or are not adequately informed about cyber risks, we’re no longer prepared to simply take their words for it – we want compliance independently verified, and we will be applying serious pressure when it’s not forthcoming.”
Where gaps are sufficiently material, APRA will consider forcing entities to issue a breach notice and create a rectification plan.
If boards are unwilling or unable to make the required changes in a timely manner, APRA will consider using formal enforcement action.