APRA identifies controls gaps leaving Financial Services companies open for cyber attacks

The Australian Prudential Regulation Authority (APRA) has now released the long awaited findings from its independent tripartite cyber assessment over compliance with CPS 234. The themes identified by APRA are based on the audit of more than 300 banks, insurers and superannuation trustees – a significant industry wide program.

From the summary - "The most common control gaps identified as a result of these first tranche of assessments are:

• incomplete identification and classification for critical and sensitive information assets;
• limited assessment of third-party information security capability;
• inadequate definition and execution of control testing programs; 
• incident response plans not regularly reviewed or tested;
• limited internal audit review of information security controls; and
• inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner."

The APRA summary goes on to specify additional details for each theme noted above and provides entities with considerations for remediation. All APRA regulated entities, and those providing services to APRA regulated entities, should read the summary of the findings in detail so their processes and controls can level up to industry expectations.

APRA has indicated that where entities do not sufficiently meet the CPS 234 requirements they will continue to work with them through intensified supervisory oversight. In doing so, APRA seeks to ensure the industry and broader ecosystem is appropriately resilient to cyber attacks. APRA can also take other actions such as its requirement for entities to hold increased levels of capital. This was made very clear last week when APRA levied Medibank Private with a $250m increased holding requirement as a direct impact in connection with “weaknesses identified in Medibank’s information security environment”.

We know from experience that entities with identified gaps will require changes to people, process, technology and suppliers to meet CPS 234 requirements and for many, these programs will be significant undertakings. Contact us today to discuss how we can support you with controls audit and assurance, remediation program activities, or third party supplier risk management.

If you are yet to have your tripartite audit conducted, please visit Grant Thornton Controls Assurance Reporting for more information. 

Learn more about how our Controls assurance reporting services can help you

Visit our Controls assurance reporting page