Banks, insurers not doing enough to prevent cyber attacks: APRA

Despite a spike in high-profile cyber attacks the nation’s banks and superannuation firms are still unprepared, according to the prudential regulator.

David SwanTechnology Editor

2 min read

6:33PMJuly 05, 2023

The Australian Business Network

‘This isn’t a game’: PM asserts cyber security review to remain secret

The nation’s financial institutions are not doing enough to prevent cyber attacks, with an assessment of hundreds of banks, insurers and superannuation trustees by prudential regulator APRA finding widespread gaps and cyber weaknesses despite a spike in high-profile attacks in recent months.

The Australian Prudential Regulation Authority on Wednesday said it had assessed about a quarter of its regulated entities, revealing significant gaps across the industry, in a sign that more attacks are likely unless improvements are made.

It said the most common gaps include incomplete identification and classification for critical and sensitive information assets, inadequate incident response plans, and limited assessment of third-party information security capabilities.

“Rates of cybercrime have increased and criminal attacks have become more sophisticated. Australia has not been immune; recent, well-publicised cyber attacks are among the largest in the country’s corporate history,” APRA said in a statement. “Early findings from an expansive APRA study on cyber resilience in financial services show there is a need to raise the bar. With the risk cyber attacks pose to institutions and the Australian community, APRA is rigorously targeting areas of noncompliance.”

Introduced in 2019, CPS 234 was designed as a measure to boost cyber resilience and require banks, insurance firms and superannuation funds to maintain cyber capabilities, conduct regular testing and notify the regulator if incidents occur. Picture: iStock

It said by the end of the year more than 300 organisations will have participated in APRA’s independent cyber assessment process, and is encouraging each of the firms to review common weaknesses and incorporate relevant strategies to address cyber security shortcomings.

“Where gaps are identified and breach reporting is undertaken, APRA intensifies its supervisory oversight. This helps to ensure entities remediate cyber resilience deficiencies and meet their CPS 234 obligations.”

Late last year APRA said it would “intensify its supervision of all entities not meeting the information security prudential standard CPS 234 as a result of the extensive independent review under way, and other supervisory activities.”

APRA last month ordered Australia’s largest health insurer Medibank to hold an additional $250m in capital and to undergo a targeted technology review focused on its governance and risk culture, after it suffered one of the largest data breaches in Australian history.

“While Medibank has already addressed the specific control weaknesses which permitted unauthorised access to its systems, it still has further work to do across a number of areas to further strengthen its security environment and data management,” APRA member Suzanne Smith said in a statement late last month. She also noted that not all entities were heeding APRA’s messages and it continued to “identify poor cyber security practices and inadequate oversight from boards and management”.