Home / Super / APRA takes stock and issues stark warning in the middle of cyber security study

APRA takes stock and issues stark warning in the middle of cyber security study

The prudential regulator is "rigorously targeting" areas of non-compliance it identifies during its massive study of cyber resilience among banks, insurers and superannuation trustees.
Super

APRA has issued a warning to banks, insurers and superannuation trustees that it is taking notice of cyber-security laggards as it reaches the mid-point of a landmark study into entities’ readiness for online threats.

The regulator says it is “rigorously targeting” areas of non-compliance after assessing 24 per cent of its regulated entities and finding seven “common control gaps”.

These areas of compliance fallibility include “incomplete identification and classification”, shortfalls in the assessment of security levels at third party providers and the “inadequate definition and execution” of control testing programs.

  • APRA also took issue with poor incident response plans, limited information security control reviews and “inconsistent reporting of material incidents”.

    The regulator’s study into cyber security comes after PwC, in partnership with Gateway Network Governance Body, released a 2021 report calling for a collaborative approach to combative cyber threats in the super system, after $30 billion was lost by Australian businesses to cyber attacks in the preceding year.

    In May 2022, Spirit Super (shortly after the merged entity was created out of Tasplan and MTAA Super) reported 50,000 members were hit by a data breach in the form of a phishing attack.

    One of PwC’s key findings was that no one entity is clearly responsible for cybersecurity oversight in superannuation.

    “There is a lack of accountability and cyber risk leadership for end to-end cyber resilience of the ecosystem,” the PwC report stated. “While there are a number of regulators in the ecosystem, each has a different area of focus and none has ultimate or overall accountability.”

    There was also no “common standard” for cybersecurity, PwC noted, and lower cybersecurity engagement among superannuation fund members, who didn’t interact with their fund often.

    “In combination with the lack of a holistic and coordinated approach to respond to cyber incidents in the ecosystem, it is only a matter of time before a well-coordinated cyber attack could result in significant and widespread disruption,” PwC warned.

    In response APRA has spoken to 300 banks, insurers and superannuation trustees as part of its cyber security audit. The second and third tranches of its assessment are currently being undertaken, while the fourth and final tranche of insights is due to be rolled out before the end of the year.

    Meanwhile, the regulator has put funds and large entities on notice.

    “APRA encourages every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies.”

    Staff Writer


    Related
    Retail superannuation funds are back in town

    In the wake of the Hayne Royal Commission, industry funds reigned supreme. It has taken more than five years, but the for-profit funds are finally back in the game as the not for profits increasingly struggle to service members nearing or in retirement.

    Duncan Hughes | 21st Mar 2025 | More
    Australian super can weather the Trump storm: Whiteley

    While the White House’s economic nostrums are rattling the markets, the long-term outlook for commercial and investment relations between the two countries is positive, with a recent summit in the US further cementing ties.

    Penny Pryor | 14th Mar 2025 | More
    Morningstar is upping the ante on super fund research

    The ratings house is pinning its growth strategy on a revamped methodology that increases the emphasis on governance to 25 per cent – a timely move considering APRA’s proposed reforms.

    Penny Pryor | 7th Mar 2025 | More
    Popular