APRA out of patience with Cybersecurity Non-Compliance

Australian Prudential Regulation Authority (APRA) chair John Lonsdale has expressed frustration at the failure of the banking and financial sector to deal with fundamental cybersecurity issues.

In a speech to the Financial Services Institute of Australasia (FINSIA), Lonsdale said many in the sector were struggling to meet the minimum requirements of APRA’s information security standard CPS 234, which came into force three years ago.

“ … many entities are still struggling with foundational issues: ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans,” said Lonsdale

“With the potential for serious impact to millions of Australians, our patience has run out. Where an entity is found to be significantly wanting in its cyber preparedness, we are intensifying supervision, insisting upon remediation plans, and taking enforcement action such as capital overlays and potentially license conditions.”

Regulated banking and FSI organisations in Australia have until 2025 to be compliant with APRA’s newer CPS 230 standard which increases the requirement for operational resilience.

“Although the new standard isn’t in place for another 18 months, there are things entities can do now,” said Lonsdale.

“Mapping out critical operations and identifying material service providers is a practical initial step, as is building organisational awareness. APRA will continue to work closely with entities to prepare them for the implementation of the standard and will issue additional guidance early next year.”

APRA has been working to transform its data collection and analysis capabilities to enable more effective risk-based supervision, improve insights and enhance transparency. This process stepped up earlier this year with the creation of a new standalone Technology and Data division reporting directly to the APRA Members.

“This is an ambitious and complex multi-year piece of work,” said Lonsdale.

“Already, we have needed to rethink the pace, sequencing and priorities of our roadmap for transforming the data collections. In doing so, we are mindful of the importance of keeping industry informed and engaged and limiting regulatory burden as best we can. In the long-term, this important work will benefit everyone, including the entities we regulate who will no longer need to resubmit the same data multiple times.”