Home / Super / APRA takes stock and issues stark warning in the middle of cyber security study

APRA takes stock and issues stark warning in the middle of cyber security study

The prudential regulator is "rigorously targeting" areas of non-compliance it identifies during its massive study of cyber resilience among banks, insurers and superannuation trustees.
Super

APRA has issued a warning to banks, insurers and superannuation trustees that it is taking notice of cyber-security laggards as it reaches the mid-point of a landmark study into entities’ readiness for online threats.

The regulator says it is “rigorously targeting” areas of non-compliance after assessing 24 per cent of its regulated entities and finding seven “common control gaps”.

These areas of compliance fallibility include “incomplete identification and classification”, shortfalls in the assessment of security levels at third party providers and the “inadequate definition and execution” of control testing programs.

  • APRA also took issue with poor incident response plans, limited information security control reviews and “inconsistent reporting of material incidents”.

    The regulator’s study into cyber security comes after PwC, in partnership with Gateway Network Governance Body, released a 2021 report calling for a collaborative approach to combative cyber threats in the super system, after $30 billion was lost by Australian businesses to cyber attacks in the preceding year.

    In May 2022, Spirit Super (shortly after the merged entity was created out of Tasplan and MTAA Super) reported 50,000 members were hit by a data breach in the form of a phishing attack.

    One of PwC’s key findings was that no one entity is clearly responsible for cybersecurity oversight in superannuation.

    “There is a lack of accountability and cyber risk leadership for end to-end cyber resilience of the ecosystem,” the PwC report stated. “While there are a number of regulators in the ecosystem, each has a different area of focus and none has ultimate or overall accountability.”

    There was also no “common standard” for cybersecurity, PwC noted, and lower cybersecurity engagement among superannuation fund members, who didn’t interact with their fund often.

    “In combination with the lack of a holistic and coordinated approach to respond to cyber incidents in the ecosystem, it is only a matter of time before a well-coordinated cyber attack could result in significant and widespread disruption,” PwC warned.

    In response APRA has spoken to 300 banks, insurers and superannuation trustees as part of its cyber security audit. The second and third tranches of its assessment are currently being undertaken, while the fourth and final tranche of insights is due to be rolled out before the end of the year.

    Meanwhile, the regulator has put funds and large entities on notice.

    “APRA encourages every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies.”

    Staff Writer


    Related
    Improve ‘outrageous service’ of death benefits, Kelty warns industry funds

    A key architect of the compulsory retirement savings system lauds its many achievements, stretching from the national economy to the individual. Where it’s double faulting is in serving members – and it needs to be addressed promptly.

    Nicholas Way | 15th Apr 2025 | More
    When to de-risk proving a roadblock for life-cycle super strategies

    With the introduction of MySuper, it seemed investment options based on a person’s age would be the wave of the future. While there were some early adopters, the balanced approach has remained the preferred option.

    Penny Pryor | 15th Apr 2025 | More
    Smaller industry funds putting the spotlight on member service

    The ASIC report into death benefit claims revealing the devastating impact of poor industry practices on grieving Australians has again highlighted the pressing need for change. While some funds have taken up the cudgels, others are still playing hardball on improving their service offering.

    Nicholas Way | 4th Apr 2025 | More
    Popular