An Australian financial regulator has put its foot down on cybersecurity forcing banks, insurers, and superannuation funds to take tougher measures to protect their systems.
From next year, APRA will require financial institutions to complete external audits of their cybersecurity systems. The goal being to “send a message” across the wider industry about the seriousness of cyber threats, and to also ensure there are no gaps in existing systems.
Geoff Summerhayes, executive board member of the Australian Prudential Regulation Authority (APRA), warned that 17,000 financial entities in the country were part of an interconnected “ecosystem” and one breach could potentially snowball across the industry.
Many institutions spoke positively about their compliance with CPS234.
“Yet when our IT Risk specialist team has conducted cyber reviews of some of these entities, we’ve discovered significant weaknesses in every instance, in areas such as testing programs, control environments and incident response capabilities,” Summerhayes said.
In the future, if a company’s cybersecurity has serious flaws, APRA will force the entity to “issue a breach notice and create a rectification plan.”
“If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action,” Summerhayes said.
Matt Warren, professor of cybersecurity at the Royal Melbourne Institute of Technology, welcomed the tough measures saying they were a necessity.
“APRA is taking the right step. The banking and financial sector is key to Australia’s economic wellbeing, and banks and financial organisations have to be in a position to protect their data and customer data,” he told The Epoch Times.
“The key issue is that cybersecurity is a business risk and the responsibility of the board or organisations and APRA is reinforcing that,” he said.
Cybersecurity has become a major issue in recent months following a June announcement by the prime minister that Australia was under sustained attack from “sophisticated state-based cyber actor.”