The Australian Prudential Regulation Authority (APRA) aims to protect financial institutions and the financial system as a whole by proactively identifying and responding to significant risks.
APRA has recently released its policy and supervision priorities for 2023, in accordance with its latest Corporate Plan. Notably, APRA has stated that given the heightened risk of operational disruptions, including cyberattacks, it:
- will further increase the scrutiny of operational and cyber risk-management practices across all industries; and
- has heightened expectations of entities’ ability to rapidly detect weaknesses and to implement remediation plans.
In line with this focus, there are two key policy and supervision priorities for 2023 that are particularly relevant to financial institutions assessing their cybersecurity posture. These include:
1. Completing key reforms to strengthen the financial and operational resilience of APRA-regulated entities, and improve outcomes for superannuation members
APRA has stated that regulated entities must be able to identify and effectively respond to business disruptions and operational risks and to ensure the data they hold is secure.
In 2023, there will be a focus on strengthening operational resilience through oversight of third-party service provision, technology resilience, operational risk and compliance.
This focus foreshadows the pending implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230) which will provide a framework for financial institutions to manage their information and technology risks, and ensure the stability and resilience of their operations.
2. Heightened supervision on cyber resilience through detailed assessments and rigorous pursuit of breaches
As part of its 2020-2024 Cyber Security Strategy, APRA issued Prudential Standard CPS 234 Information Security (CPS 234). Under CPS 234, regulated entities must complete assessments of their compliance with the standard at specific intervals, as well as report information security incidents and information security control weaknesses to APRA as soon as possible.
In 2023, APRA intends to use this information to exercise heightened supervision on cyber resilience, including:
- rigorously pursuing breaches of the standard;
- requiring and reviewing comprehensive remediation plans to ensure timely rectification and follow up of all gaps identified;
- conducting targeted deep-dive reviews on areas of weakness that fail to meet expectations; and
- share insights and industry-wide guidance to direct cyber resilience uplift.
APRA has also expressed that it will be focussing on board effectiveness in relation to cyber resilience, and will issue information requests to board members at select regulated entities to gain a better insight into practices and potential weaknesses.
What does this mean for Australian financial institutions?
Australian financial institutions should consider whether their own policies and practices align with APRA’s expectations, and adopt additional measures as appropriate. Questions that financial institutions should be asking, include:
- Cybersecurity resilience: does the financial institution have the necessary measures in place to detect, respond to, and recover from cyber threats?
- Data security: does the financial institution have secure data management, including data privacy and protection of sensitive information?
- Third party risk management: does the financial institution mitigate the security risks posed by external partners and vendors?
- Incident response planning: does the financial institution have a robust incident response plan in place to ensure that it can quickly and effectively respond to security incidents?
By responding to these questions and identifying potential gaps in the financial institution’s policies and practices, the financial institution will be better equipped to meet APRA’s expectations and maintain the stability and resilience of the financial system as a whole.
Marsh offering
As your trusted advisor and partner in cyber risk management and enterprise risk assessment, Marsh can work with you to determine your current cyber risk posture and implement improved protocols and procedures to enhance insurability, loss mitigation and cyber resilience. These reviews will extend beyond your technical risk management procedures to include the enterprise wide review of cyber resilience, data protection and incident preparedness.
