Home / Super / APRA takes stock and issues stark warning in the middle of cyber security study

APRA takes stock and issues stark warning in the middle of cyber security study

The prudential regulator is "rigorously targeting" areas of non-compliance it identifies during its massive study of cyber resilience among banks, insurers and superannuation trustees.

APRA has issued a warning to banks, insurers and superannuation trustees that it is taking notice of cyber-security laggards as it reaches the mid-point of a landmark study into entities’ readiness for online threats.

The regulator says it is “rigorously targeting” areas of non-compliance after assessing 24 per cent of its regulated entities and finding seven “common control gaps”.

These areas of compliance fallibility include “incomplete identification and classification”, shortfalls in the assessment of security levels at third party providers and the “inadequate definition and execution” of control testing programs.

  • APRA also took issue with poor incident response plans, limited information security control reviews and “inconsistent reporting of material incidents”.

    The regulator’s study into cyber security comes after PwC, in partnership with Gateway Network Governance Body, released a 2021 report calling for a collaborative approach to combative cyber threats in the super system, after $30 billion was lost by Australian businesses to cyber attacks in the preceding year.

    In May 2022, Spirit Super (shortly after the merged entity was created out of Tasplan and MTAA Super) reported 50,000 members were hit by a data breach in the form of a phishing attack.

    One of PwC’s key findings was that no one entity is clearly responsible for cybersecurity oversight in superannuation.

    “There is a lack of accountability and cyber risk leadership for end to-end cyber resilience of the ecosystem,” the PwC report stated. “While there are a number of regulators in the ecosystem, each has a different area of focus and none has ultimate or overall accountability.”

    There was also no “common standard” for cybersecurity, PwC noted, and lower cybersecurity engagement among superannuation fund members, who didn’t interact with their fund often.

    “In combination with the lack of a holistic and coordinated approach to respond to cyber incidents in the ecosystem, it is only a matter of time before a well-coordinated cyber attack could result in significant and widespread disruption,” PwC warned.

    In response APRA has spoken to 300 banks, insurers and superannuation trustees as part of its cyber security audit. The second and third tranches of its assessment are currently being undertaken, while the fourth and final tranche of insights is due to be rolled out before the end of the year.

    Meanwhile, the regulator has put funds and large entities on notice.

    “APRA encourages every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies.”

    Staff Writer

    TelstraSuper expands ‘nimble and innovative’ climate investments

    The $27 billion TelstraSuper’s move to back Quinbrook’s Net Zero Power Fund is the latest in a series of climate-related investments that it feels are well-suited for smaller and more agile funds.

    Lachlan Maddock | 17th Jul 2024 | More
    Thriving in a new market environment means getting agile: Colonial First State

    A different investment environment requires a different investment model, says Colonial First State, and funds will have to become more nimble if they’re to cope.

    Lachlan Maddock | 12th Jul 2024 | More
    ‘Unique advantages’: Rest boosts private debt allocation

    The $85 billion industry fund has tipped more money into a real estate debt fund from Metrics Credit Partners as it looks to diversify its private markets exposures.

    Lachlan Maddock | 10th Jul 2024 | More