Unveiling APRA’s 2020-24 Cyber Security Strategy: What you need to know?

The Australian Government launched its highly awaited Cyber Security Strategy 2020 last month (2020 Strategy), with the stated goal of creating a more secure online world for Australians, their companies and the essential services on which we all depend.”

As part of the drive to strengthen and safeguard the sector’s resilience against online attacks, financial industry boards and auditors have also been warned that cybersecurity strategies will be under increased scrutiny.

At today’s Financial Services Assurance Conference, Geoff Summerhayes flagged stricter cybersecurity requirements and financial sector transparency, announcing APRA’s 2020-24 Cyber Protection Plan.

Summerhayes, one among the Executive Board members of the Australian Prudential Regulatory Authority, said We still see too many fundamental cyber-hygiene issues across the whole industry.”

“Our goals here are to abolish unnecessary or loose cyber exposures, foster a cyber defense community that is more prominent than the sum of its parts, and ensure that entities are ‘battle-ready’ when breaches inevitably occur.”

The New APRA Cyber Security Strategy Reinforces three critical focus areas.

Number one is to establish a baseline of cyber controls. It’s close to 18 months since CPS 234 came into effect, and APRA is still seeing too many basic cyber hygiene issues across the industry. APRA entities need to meet this regulatory compliance, and avoid careless cyber exposures, and ensure entities are “battle ready” for when breaches inevitably occur.
Our second priority is to enable boards and executives of financial institutions translating the urgency in implementing APRA CPS 234 cyber security compliance practice and guidance. Cyber risk is hardly a new word, yet many boards across APRA regulated body are still lacking the ability and capability and sense of urgency relating to cyber security matters.
Internal audit functions in many APRA-regulated entities lack sufficient cyber skill sets, are under-resourced, and methodologies are under-developed. As a result, APRA has observed examples of a number of behaviours:
  • Cyber exposures identified by internal auditors met with an audit committee that failedto act (or doesn’t know how to)
  • An audit committee struggling to interpret the severity of cyber risk findings comparedto findings raised in other areas of the business.
  • Internal auditors that don’t conduct a sufficiently thorough investigation into the state ofthe cyber controls to assure they are sufficient to meet the potential cyber riskexposures.

The third branch of APRA’s new Strategy is to rectify weak links within the broader financial eco-system and supply chain by fostering the maturation of provider cyber-assessment and assurance and harmonising the regulation and supervision of cyber across the financial system.

We have outlined some key initiatives that you should know about APRA’s CPS 234 Cyber Security Compliance 2020-2024  Strategy:

Next Steps APRA will implement in 2021:

APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board.

Identifying compliance issues and ensuring they are rectified in the shortest period of time to protect companies and the wider system.

APRA is sending a serious and clear message to the Board and Executive team of financial institutes and affiliated bodies, in failing to meet CPS 234 Cyber Security Standards legal obligations.

We want compliance independently verified, and we will be applying serious pressure when it’s not forthcoming.

Identified levels of gaps relating to sufficiently material, APRA will consider forcing entities to issue a breach notice and create a rectification plan.

If boards are unwilling or unable to make the required changes in a timely manner, APRA will consider using formal enforcement action.

APRA’s 2020-2024 cyber security strategy is concise with a clear definition of its expectations from boards and executive teams “ensure CPS 234 is being fully complied’ holding boards and management accountable where they fail to meet CPS 234 cyber security compliance”

Strengthening and upgrading your cybersecurity compliance is the only way to defend and safeguard your organization. Contact Cybernetic Global Intelligence APRA CPS 234 Cyber Security Auditors @ Cybernetic Global Intelligence’s (CGI) an Australian organization with expertise in delivering outstanding cybersecurity services. You can talk to our APRA CPS 234 Auditors on  1300 292 376 or email contact@cybernetic-gi.com for assistance.

Cybernetic Global Intelligence has a team of qualified PCI DSS QSA & ISO 27001/2013 lead auditors and assessors that can assist in all aspects of APRA CPS 234 Information Security compliance. Like any compliance system, APRA CPS 234 can be complex and hard to navigate alone. We can take the stress out of becoming APRA CPS 234 compliant by assessing and validating adherence to APRA CPS 234 Compliance Standards and work with you to develop Diagnostic gap analysis, Risk treatment and Ongoing monitoring and assurance with remediation strategies to help you meet the APRA CPS 234 Information Security Standards. contact@cybernetic-gi.com for assistance.

Post a Comment