APRA identifies technology risks

Recent announcements by the Australian Prudential Regulation Authority (APRA) discuss the risks associated with Artificial Intelligence and cyber threats.

In a recent speech an APRA Executive Board Member said that APRA broadly supports regulated entities beginning to test how they can incorporate AI into their practices.

But they cautioned that:

In common with any type of outsourcing, companies cannot delegate full responsibility to an AI program. This becomes even more important when we consider that generative AI will involve automated decision-making. Entities must have, to use the industry jargon, a “human in the loop”: an actual person who is accountable for ensuring it operates as intended. This doesn’t necessarily mean human involvement in AI decisions – for example, stopping a potentially fraudulent transaction requires fast action. Instead, it is about someone being accountable for the algorithm, its sound operation, and the outcomes it delivers.

They asked:

  • Are appropriate cyber security controls in place to deal with AI-enabled threats? CPS 234 Information Security covers that.
  • Is data protected from misuse or theft? Entities can find guidance in CPG 235 Managing Data Risk.
  • Has the entity considered AI risks introduced by a third party? CPS 230 Operational Risk Management, which comes into effect next year, will deal with that.

APRA has written to all APRA-regulated entities emphasising the critical role of data backups in cyber resilience.

APRA has identified the common issues observed in backup practices that could hinder system restoration during an incident.

APRA expects regulated entities to review their backup arrangements. If the review identifies gaps that could materially impact the entity’s risk profile or financial soundness, APRA considers this a material security control weakness notifiable under paragraph 36 of CPS 234. Any identified gaps must be remedied promptly.

APRA’s observed weaknesses are:

  • Insufficient segregation between production and backup environments
  • Insufficient control testing coverage and rigour to ensure backups are protected from compromise
  • Insufficient testing of capability to recover systems and data within tolerance levels from backups.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.