Navigating the Cybersecurity Landscape: Reflections on APRA's CPS 234 Assessments

Are we as cyber resilient as we think? APRA's recent cybersecurity stocktake of over 300 financial institutions reveals some startling insights...

The Australian Prudential Regulation Authority's (APRA) recent cybersecurity stocktake (link), as part of their expansive study on cyber resilience in financial services, has highlighted several gaps in the cybersecurity practices of regulated entities. The study involved more than 300 banks, insurers, and superannuation trustees participating in an independent tripartite cyber assessment, aiming to evaluate their compliance with the prudential standard CPS 234 Information Security (CPS 234).

The stocktake revealed several common control gaps:
- Incomplete identification and classification for critical and sensitive information assets
- Limited assessment of third-party information security capability
- Inadequate definition and execution of control testing programs
- Incident response plans not regularly reviewed or tested
- Limited internal audit review of information security controls
- Inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner

These findings underscore the need for continuous improvement and vigilance in our cybersecurity practices.

In the four years since CPS 234 was introduced, I've witnessed firsthand the changes implemented at some of Australia's biggest banks and insurers. Some of these changes have been well adopted, leading to a strong uplift in security posture. However, other changes were introduced without adequate consultation, leading to additional friction points. It is a delicate balance to strike - enhancing security without compromising user experience or operational efficiency.

Of the gaps mentioned in the stocktake, inconsistency, independence issues and inadequate assurance from control testing programs were highlighted. Penetration testing is a critical component of this, providing a real-world assessment of an organisation's security posture. The guidance provided by APRA steers organisations to adopt multiple testing approaches, clearly define success criteria and to conduct testing by appropriately skilled and functionally independent specialists.

The role of regulatory bodies like APRA in shaping cybersecurity practices in the financial services sector cannot be overstated. The introduction of CPS 234 has mandated strong cybersecurity practices, and APRA's strategy of continuous assessment and monitoring is a positive step towards maintaining and enhancing these practices.

As we navigate the evolving cybersecurity landscape, it's clear that continuous improvement is key. The industry has come a long way, though the APRA stocktake serves as a valuable reminder of the work that still needs to be done.