In a recent speech by APRA Member Therese McCarthy From fires to firewalls: The evolution of operational risk she revealed many banks, insurers and superannuation trustees are still struggling to meet their minimum requirements under APRA’s prudential standard on information security, CPS 234.
Where an entity is found to be significantly wanting in its compliance with APRA’s information security requirements, additional capital requirements of the kind imposed on Medibank may be a likely outcome.
In attempting to explain the problem she said:
“Given that cyber-risk is at or near the top of every corporate risk register today and has been for several years, the obvious question is “why?”.
There is a range of answers: the evolving nature of cyber threats means organisations are constantly firing at moving targets; increasing reliance on multiple outsourced service providers creates complex webs of interconnectivity, which makes oversight harder; furthermore, we know that many of our entities have laboured to migrate legacy systems to new, more secure platforms.
APRA has also observed a long period of insufficient investment in both cyber security technology and personnel with the necessary skills and experience, especially among smaller organisations that lack the deep pockets of the industry giants. But if we were to identify a root cause it would be that information security has too often been seen by boards as a technology risk and not an overall business risk. Rather than leaving cyber resilience to the IT and cyber-security departments, boards need to become much more tech savvy and alert to how the threats have changed, in particular for the data they collect and manage. Boards need to provide stronger oversight of these “crown jewels” in order to address threats as they emerge with the expediency they deserve.”
With respect to new CPS 230 which starts on 1 July 2025 APRA expects boards to focus on three key actions:
- Putting the right governance arrangements in place;
- Identifying critical operations and material service providers; and
- Beginning to develop a new organisational mindset.
She concluded
“APRA has delivered a longer than usual implementation period for our new standard on operational resilience given the scale of the change – now it’s up to banks, insurers and super trustees to deliver on the new requirements. Should they fail to do so, don’t be surprised to see APRA apply a little heat of its own.”
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.