Strengthening Cyber Resilience: How APRA's Regulations are Shaping the Future of Australian Banks

In today’s data-driven age, information security is a critical consideration for businesses and financial institutions (FIs). The Australian Prudential Regulation Authority (APRA) has taken a proactive approach by conducting a comprehensive assessment of more than 300 Australian Deposit Institutions (ADIs)¹. This independent cyber assessment aims to ensure that these institutions have the necessary prevention, detection, and response capabilities to withstand the constantly evolving threat landscape in accordance with APRA's prudential standards¹.

APRA will be conducting assessments and publishing updated findings throughout 2023 and 2024. These initial findings identified six control gaps that require immediate attention to improve the cyber resilience of ADIs.

• Governance and accountability: APRA's assessment found that many ADIs lack a comprehensive governance framework for cyber risk management. This gap highlights the need for clear lines of accountability and responsibility within these institutions.
• Third-party risk management: The assessment revealed gaps in managing risks associated with third-party service providers, underscoring the importance of comprehensive vendor risk assessments.
• Incident response planning: Inadequate incident response planning and testing are prevalent among ADIs. A robust plan is essential to minimise the impact of cyber incidents.
• Data management and protection: Many ADIs must enhance their data management and protection strategies to safeguard customer information from potential breaches.
• Security patch management: Many ADIs have struggled with timely and effective security patch management, exposing vulnerabilities for extended periods.
• Access controls: The assessment uncovered issues related to access controls, indicating a need for improved identity and access management practices.

APRA urges ADIs to address the weaknesses they've identified in their cybersecurity protocols. It is crucial for these gaps to be rectified through the implementation of new strategies. APRA has also stated that it will continue to evaluate entities that fail to meet these requirements throughout the year and beyond.

As information security becomes increasingly important, Synpulse is assisting banks in evaluating their IT data and operational risk control assessments. Leveraging our expertise in these areas, we can ensure that banks meet APRA's recommended standards.

Our offerings include:

• Comprehensive assessments: Synpulse can conduct in-depth evaluations of your institution's operational risk and IT data management controls to ensure alignment with APRA's standards.
• Strategic roadmaps: We can help banks build strategic roadmaps that address immediate control gaps while providing a long-term vision for cyber resilience.
• Policy and procedure enhancements: With a keen focus on policies and procedures, we can assist banks in fortifying their governance frameworks and security protocols.

APRA is taking concrete steps to address information security concerns among ADIs. APRA will ensure that institutions comply with regulations as the regulatory landscape evolves. While no fines or penalties have been imposed for security breaches, the regulator is increasing its scrutiny and evaluation of ADIs who fail to comply.

In conclusion, APRA's cyber assessment initiative is essential for safeguarding the Australian financial sector. Synpulse, with its specialised expertise, is prepared to assist ADIs in meeting APRA's standards to secure a resilient future for the financial industry in Australia. In this digital age, protecting financial institutions is a regulatory mandate and a fundamental necessity to maintain trust and security in the financial sector.

¹ Cyber security stocktake exposes gaps (APRA, 5 July 2023)