Australia's financial services industry regulator, the Australian Prudential Regulation Authority (APRA), has signaled it will step up its review of current cyber compliance with a focus on CPS 234 requirements and hold boards accountable for shortfalls in cyber security as part of its Cyber Security Strategy for 2020 to 2024 (APRA Cyber Security Strategy).
In his speech of 27 November 2020, APRA Executive Board Member Geoff Summerhayes spoke of "strengthening the chain", acknowledging that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers, and a cyber breach in any part of the system – such as an insurance broker, a credit ratings agency, an IT service provider or ATM repair service – can have a cascading impact on the whole system. APRA only directly supervises around 680 of these participants in the ecosystem, and is seeking to address this "gap" with its new Cyber Security Strategy.
An increased focus on the supply chain under the new APRA Cyber Security Strategy will therefore affect regulated financial services institutions as well as their suppliers, especially the likes of IT and telecommunications service providers, who can (among other things) expect an increased focus by financial institutions on:
- ensuring robust contractual cyber security protections are in place when negotiating services agreements; and
- carrying out pre-contractual due diligence to ensure that suppliers have appropriate technical and organisational measures in place to mitigate cyber security risks in practice.
The APRA Cyber Security Strategy has three primary focus areas:
- Establishing a baseline of cyber controls (with reference to CPS 234 obligations);
- Enabling boards and executives of financial institutions to oversee and direct correction of cyber exposures, by using enforcement and APRA scrutiny to elevate cyber security threats to the board level, supported by enhanced cyber guidance for board members, internal auditors and risk management professionals; and
- Rectifying weak links within the broader financial eco-system and supply chain, by engaging with a selection of suppliers, auditing associations and financial entities to develop stronger third-party provider assessment and assurance practices for use by APRA-regulated entities.
"The new strategy aims to extend APRA’s reach beyond our regulated entities to influence the broader eco-system of suppliers and providers they rely upon... our financial system is only as resilient to cyber attacks as the weakest link in the chain." APRA Executive Board Member Geoff Summerhayes - speech to Financial Services Assurance Forum (27 November 2020)