Hannah Morgans
Growth Leader, Cyber
-
Australia
The Australian Prudential Regulation Authority (APRA) aims to protect financial institutions and the financial system as a whole by proactively identifying and responding to significant risks.
APRA has recently released its policy and supervision priorities for 2023, in accordance with its latest Corporate Plan. Notably, APRA has stated that given the heightened risk of operational disruptions, including cyberattacks, it:
In line with this focus, there are two key policy and supervision priorities for 2023 that are particularly relevant to financial institutions assessing their cybersecurity posture. These include:
APRA has stated that regulated entities must be able to identify and effectively respond to business disruptions and operational risks and to ensure the data they hold is secure.
In 2023, there will be a focus on strengthening operational resilience through oversight of third-party service provision, technology resilience, operational risk and compliance.
This focus foreshadows the pending implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230) which will provide a framework for financial institutions to manage their information and technology risks, and ensure the stability and resilience of their operations.
As part of its 2020-2024 Cyber Security Strategy, APRA issued Prudential Standard CPS 234 Information Security (CPS 234). Under CPS 234, regulated entities must complete assessments of their compliance with the standard at specific intervals, as well as report information security incidents and information security control weaknesses to APRA as soon as possible.
In 2023, APRA intends to use this information to exercise heightened supervision on cyber resilience, including:
APRA has also expressed that it will be focussing on board effectiveness in relation to cyber resilience, and will issue information requests to board members at select regulated entities to gain a better insight into practices and potential weaknesses.
Australian financial institutions should consider whether their own policies and practices align with APRA’s expectations, and adopt additional measures as appropriate. Questions that financial institutions should be asking, include:
By responding to these questions and identifying potential gaps in the financial institution’s policies and practices, the financial institution will be better equipped to meet APRA’s expectations and maintain the stability and resilience of the financial system as a whole.
As your trusted advisor and partner in cyber risk management and enterprise risk assessment, Marsh can work with you to determine your current cyber risk posture and implement improved protocols and procedures to enhance insurability, loss mitigation and cyber resilience. These reviews will extend beyond your technical risk management procedures to include the enterprise wide review of cyber resilience, data protection and incident preparedness.
Growth Leader, Cyber
Australia
This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. LCPA 23/113