Insight,

APRA finds gaps in compliance with CPS 234

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

Tell me in 1 minute

The Australian Prudential Regulation Authority (APRA)’s initial round of tripartite cyber assessments of regulated entities against prudential standard CPS 234 (CPS 234) has revealed significant control gaps in relation to their compliance with the requirements of CPS 234. APRA is actively targeting areas of non-compliance as it considers that there is a real need to lift the bar in relation to cyber resilience management.

Regulated entities should take steps to review their CPS 234 control frameworks

The results of the initial round of assessments, coupled with recent high profile cyber security incidents, indicates that APRA is now very clearly focussed on improving cyber resilience in its regulated population. For example, on 27 June this year, APRA announced that following a review of Medibank’s cyber incident, it would impose an increase of $250 million in Medibank’s capital adequacy requirements, which would stay in place until completion of an agreed remediation program.

APRA’s statement that it is actively targeting areas of non-compliance means that there will be increased APRA supervisory oversight for regulated entities that have gaps in their controls frameworks against CPS 234. Regulated entities should take steps to review their controls framework, having particular regard to the control gaps and corresponding recommendations set out by APRA in its findings arising out of this initial round of tripartite cyber assessments.

Tripartite cyber assessment

As part of its 2020-2024 Cyber Security Strategy, APRA has been undertaking large scale independent tripartite cyber assessments of APRA regulated entities’ compliance with CPS 234. Broadly, CPS 234 requires APRA-regulated entities to maintain adequate prevention, detection and response capabilities against information security vulnerabilities and threats.

The assessments involved the appointment of an independent auditor to assess entities’ compliance with CPS 234 and will cover over 300 banks, insurers and superannuation trustees during the course of this year. On 5 July 2023, APRA published its initial findings from tranche one of the assessments, covering approximately 24% of its regulated entities. See the findings here.

APRA will release findings from the final four tranches of this study throughout 2023. These will provide further insights and guidance into common industry-wide information security gaps.

Common control gaps identified to date

In its initial findings, APRA identified six common control gaps that were found:

  • incomplete identification and classification for critical and sensitive information assets
  • limited assessment of third-party information security capability
  • inadequate definition and execution of control testing programs
  • incident response plans not regularly reviewed or tested
  • limited internal audit review of information security controls, and
  • inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.

Details of control gaps and recommendations

OBSERVED GAPS
DETAILS
APRA RECOMMENDATIONS

Inadequate labelling of critical and sensitive information assets

Many entities failed to properly identify critical and sensitive information assets (such as software, hardware and data), making it difficult to apply appropriate controls and protections.

Common gaps include:

  • a lack of information asset classification policies and inadequate definitions of what assets are critical or sensitive
  • failure to regularly review and update asset registers, resulting in inaccurate information, and
  • failure to properly identify and classify information assets managed by third parties.

Entities should consider:

  • the potential consequences of an information asset being exposed, when classifying that asset
  • using an information asset inventory repository to register assets and map information relationships, and
  • classifying an asset’s sensitivity and criticality rating as the highest of its constituent parts

Limited assessment of third-party information security protocols

Several entities who use service providers to manage critical systems, failed to verify the adequacy of the third-party’s information security controls.

Common gaps include:

  • limited or inadequate information security control assessment plans for third parties
  • reliance on the third-party’s self-assessment of information security
  • inability to verify control testing conclusions due to removal of testing evidence, and
  • infrequent testing of criticality and sensitivity of information assets managed by third parties.

Entities should consider:

  • identifying which information assets are managed by third parties, and using this to inform the required rigour of testing
  • identifying and verifying third parties’ controls, for example through surveys, control testing, certifications and independent assurance assessments, and
  • addressing any capability gaps as soon as identified.

Ineffective control testing programs

Many entities failed to use systematic testing programs to test the effectiveness of their information security controls.

Common gaps include:

  • ineffective assurance programs which do not address key controls such as user access reviews, physical security tests and data loss prevention
  • lack of consistency, independence and adequate frequency in testing procedures, and
  • not retaining the evidence used in testing the effectiveness of controls.

Entities should consider:

  • using a broader range of testing procedures
  • defining more discrete testing goals, and
  • facilitating testing by using independent specialists.

Deficient incident response plans

Several entities’ incident response plans were inadequate, hindering their response capability to information security incidents.

Common gaps include:

  • failure to have or regularly review and test incident response plans
  • the role of third parties not being considered by the incident response plans, and
  • considering a limited number of plausible security incidents.

Entities should consider:

  • testing incident response plans at least once annually
  • ensuring response plans cover a broad range of security incidents, such as ransomware, data breaches and website defacement, and
  • creating more comprehensive plans to ensure clarity of roles and reduce decision-making during an incident.

Limited internal audit of information security controls

Many entities did not perform sufficient internal audit of information security controls, particularly of third parties.

Common gaps include:

  • inadequate review of third-party information security controls, and
  • internal auditors lacking the required information security skills.

Entities should consider:

  • uplifting audit processes to emphasise areas where information security incidents have greater impact, and where other control testing cannot be fully relied on
  • understanding the testing of other areas to determine the appropriate level of reliance upon it, and
  • report deficiencies or lack of assurance to the Board.

Inadequate reporting to APRA of material incidents and control weaknesses

Several entities had deficient processes to ensure that material incidents and control weaknesses are reported to APRA.

Common gaps include:

  • failure to have an APRA notification process
  • contracts with third parties not including APRA notification requirements
  • unclear processes to identify reportable incidents, and
  • timely notification to APRA not being required or enforced.

Entities should consider:

  • clarifying internal procedures to ensure APRA notification occurs in a timely manner, and
  • using multiple processes to identify control weaknesses, such as control testing, assurance activities and vulnerability notification by software.
LATEST THINKING
Insight
This week, the Federal Government formally shelved its ‘nature positive’ reform legislation after failing to secure support for the bills in the Senate.

06 February 2025

Publication
In our APAC Climate Guide, experts across the region share their insights as they help clients to navigate the transition. We look at the incentives encouraging clean energy, how carbon markets are expanding, the growth of sustainable finance and the role of the private sector. We also look at focus areas in each jurisdiction, from wind power in Japan to electric vehicles in China.

05 February 2025

Insight
As of Monday 3 February 2025, all wind farms in Queensland will be subject to impact assessable development as a result of legislative changes pushed through on Friday 31 January 2025.

03 February 2025