Bank cyber resilience bothers APRA

Ian Rogers

There were 113 data breaches and other cybersecurity incidents affected the banking and finance sector over the year to June 2020.

APRA has begun reporting on this theme; its APRA’s Prudential Standard CPS 234: Information Security came into effect on July 2019.

In its 2020 annual report, APRA explain that it established a “formal information security incident notification … to ensure APRA has visibility of when a material incident has occurred, how an institution is responding to it and what actions are being undertaken to prevent similar future incidents.”

As the chart shows, data breaches are most common, with 85 incidents reported to APRA.

Less common and ranging from the embarrassing to the severe were system compromises, network incursion, denial of service attack and website defacement.

Requirements in CPS 234 relating to third-party arrangements came into effect on 1 July 2020.

“While some extensions were granted on a case-by-case basis to institutions so they could deal with the impact of COVID-19, an industry proposal for an across-the-board extension for all institutions was not granted, recognising the importance of managing the cyber exposure present within regulated institutions’ supply chains,” APRA said.