Tell me in 1 minute
The Australian Prudential Regulation Authority (APRA)’s initial round of tripartite cyber assessments of regulated entities against prudential standard CPS 234 (CPS 234) has revealed significant control gaps in relation to their compliance with the requirements of CPS 234. APRA is actively targeting areas of non-compliance as it considers that there is a real need to lift the bar in relation to cyber resilience management.
Regulated entities should take steps to review their CPS 234 control frameworks
The results of the initial round of assessments, coupled with recent high profile cyber security incidents, indicates that APRA is now very clearly focussed on improving cyber resilience in its regulated population. For example, on 27 June this year, APRA announced that following a review of Medibank’s cyber incident, it would impose an increase of $250 million in Medibank’s capital adequacy requirements, which would stay in place until completion of an agreed remediation program.
APRA’s statement that it is actively targeting areas of non-compliance means that there will be increased APRA supervisory oversight for regulated entities that have gaps in their controls frameworks against CPS 234. Regulated entities should take steps to review their controls framework, having particular regard to the control gaps and corresponding recommendations set out by APRA in its findings arising out of this initial round of tripartite cyber assessments.
Tripartite cyber assessment
As part of its 2020-2024 Cyber Security Strategy, APRA has been undertaking large scale independent tripartite cyber assessments of APRA regulated entities’ compliance with CPS 234. Broadly, CPS 234 requires APRA-regulated entities to maintain adequate prevention, detection and response capabilities against information security vulnerabilities and threats.
The assessments involved the appointment of an independent auditor to assess entities’ compliance with CPS 234 and will cover over 300 banks, insurers and superannuation trustees during the course of this year. On 5 July 2023, APRA published its initial findings from tranche one of the assessments, covering approximately 24% of its regulated entities. See the findings here.
APRA will release findings from the final four tranches of this study throughout 2023. These will provide further insights and guidance into common industry-wide information security gaps.
Common control gaps identified to date
In its initial findings, APRA identified six common control gaps that were found:
- incomplete identification and classification for critical and sensitive information assets
- limited assessment of third-party information security capability
- inadequate definition and execution of control testing programs
- incident response plans not regularly reviewed or tested
- limited internal audit review of information security controls, and
- inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.
Details of control gaps and recommendations
OBSERVED GAPS
|
DETAILS
|
APRA RECOMMENDATIONS
|
Inadequate labelling of critical and sensitive information assets |
Many entities failed to properly identify critical and sensitive information assets (such as software, hardware and data), making it difficult to apply appropriate controls and protections. Common gaps include:
|
Entities should consider:
|
Limited assessment of third-party information security protocols |
Several entities who use service providers to manage critical systems, failed to verify the adequacy of the third-party’s information security controls. Common gaps include:
|
Entities should consider:
|
Ineffective control testing programs |
Many entities failed to use systematic testing programs to test the effectiveness of their information security controls. Common gaps include:
|
Entities should consider:
|
Deficient incident response plans |
Several entities’ incident response plans were inadequate, hindering their response capability to information security incidents. Common gaps include:
|
Entities should consider:
|
Limited internal audit of information security controls |
Many entities did not perform sufficient internal audit of information security controls, particularly of third parties. Common gaps include:
|
Entities should consider:
|
Inadequate reporting to APRA of material incidents and control weaknesses |
Several entities had deficient processes to ensure that material incidents and control weaknesses are reported to APRA. Common gaps include:
|
Entities should consider:
|