JUMP TO
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJiMjE0Y2QyZi1iNzY0LTQ4YjUtYjNmNy1kMDYyZDZlMDQyZTkiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc0MjMzMDk2NCwiZXhwIjoxNzQyMzMyMTY0LCJpYXQiOjE3NDIzMzA5NjQsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2FwcmEtdG8tcmVxdWlyZS1jcHMtMjM0LWNvbXBsaWFuY2UtYXVkaXRzLWluLTIwMjEiLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9hcHJhLXRvLXJlcXVpcmUtY3BzLTIzNC1jb21wbGlhbmNlLWF1ZGl0cy1pbi0yMDIxIn0.tLec8YQ_Z5rvbjKBdsHsNmUWVH06kn048JcPCrxoNn8
    https://www.minterellison.com/articles/apra-to-require-cps-234-compliance-audits-in-2021
    CLOSE
    CONTACT US Search Minter Ellison
    • Post

    Cybersecurity must be a top priority: APRA puts firms on notice

    5 minute read  01.12.2020 Kate Hilder, Mark Standen

    Our key takeaways from APRA Executive Board Member Geoff Summerhayes' recent address to the Financial Services Assurance Forum


    Key takeouts


    • The Australian Prudential Regulation Authority (APRA) is set to step up its focus on cybersecurity and more particularly it's focus on ensuring full compliance with prudential standard CPS 234 Information Security
    • APRA will be asking boards to engage an external auditor to review their organisation's compliance with CPS 234 and report back to the regulator and to the board on the results in 2021.
    • APRA Executive member Geoff Summerhayes cautioned that where compliance issues are not addressed with sufficient speed, APRA will consider taking formal enforcement action.

    Overview

    In his address to the Financial Services Assurance Forum, APRA Executive member Geoff Summerhayes outlined the key points of APRA's new Cyber Security Strategy for 2020 to 2024. In doing so, Mr Summerhayes emphasised APRA's expectation that firms prioritise cybersecurity, starting with ensuring their full compliance with CPS 234 Information Security.

    Cyber risk is a growing threat

    • The threat that cyber risk poses is accelerating: Mr Summerhayes said that though no APRA-regulated entity has yet been targeted by a 'material cyber breach', the regulator remains of the view that 'it's only a matter of time until a major incident occurs'.
    • Industry has not done enough to counter the threat: Though firms have taken some steps, APRA considers that the way in which the financial services industry manages cyber risk could be improved. In particular, Mr Summerhayes flagged both board oversight of cyber risk; and the effectiveness of internal audit functions as two areas in need of improvement.
    • Changes in work practices have also left firms vulnerable: Mr Summerhayes also observed that the rapid shift to working from home arrangements as a result of the COVID-19 pandemic has meant that many firms have 'needed to make compromises' in order to maintain business continuity. However, he observed that few have since 'gone back to firmly close the gates they left ajar in March'. Mr Summerhayes said that thought these 'risk trade-offs' were understandable in the circumstances, it is an area where APRA can 'no longer hold off tightening the regulatory screws' especially in light of the evidence of poor compliance with CPS234.

    APRA's new Cybersecurity Strategy for 2020-24

    Mr Summerhayes briefly described the key points in APRA's new cybersecurity strategy, which he described as a 'step change in regulatory intervention'.

    Broadly, Mr Summerhayes said that APRA will tighten accountability for failure to comply with CPS 234 through:

    • increased scrutiny of board cyber oversight practices
    • the release of 'enhanced cyber guidance for board members, internal auditors and risk management professionals'. The new guidance will be developed in partnership with relevant professional bodies (the Australian Institute of Company Directors, the Risk Management Institute of Australasia, the Institute of Internal Auditors)
    • The use of a 'broader set of regulatory tools and techniques' to impose 'greater accountability on entities that fail to adequately comply with their prudential obligations.

    APRA will also look to strengthen third party provider assessment and assurances practices. Mr Summerhayes said that the new strategy will 'extend APRA’s reach beyond our regulated entities to influence the broader eco-system of suppliers and providers they rely upon'.

    External reviews of CPS 234 compliance, APRA will consider taking formal enforcement action where non-compliance is not addressed with sufficient speed

    Mr Summerhayes said that the regulator will,

    … 'shortly be requesting one-off tripartite independent cyber security reviews across all our regulated industries. Starting next year, APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board. We haven’t made a final determination on which entities this will apply to, but all entities should prepare accordingly'.

    Mr Summerhayes said that the purpose of the exercise is to identify compliance issues and ensure they are rectified as quickly as possible and also about 'sending a message' about the seriousness of the issue and the need for greater accountability.

    'In light of evidence that boards frequently don’t understand or are not adequately informed about cyber risks, we’re no longer prepared to simply take their words for it – we want compliance independently verified, and we will be applying serious pressure when it’s not forthcoming. Where gaps are sufficiently material, we will consider forcing entities to issue a breach notice and create a rectification plan. If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action. The intention, as per our “constructively tough” enforcement philosophy, it is to expedite positive change to protect institutions, the customers that rely on them and the broader financial system'.

    [Source: APRA Executive Board Member Geoff Summerhayes - speech to Financial Services Assurance Forum 26/11/2020]

    To keep up to date on this issue and other risk, governance and financial services related developments refer to our weekly newsletter Governance News.

    Contact

    Tags

    Boards & Directors Financial Services Governance Regulators Risk management Top stories from Governance News
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJiZmQ3MTIzNy00YzlkLTRmNjMtOWM4OS1hNzI4OTVjYjg4YTIiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc0MjMzMDk2NCwiZXhwIjoxNzQyMzMyMTY0LCJpYXQiOjE3NDIzMzA5NjQsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2FwcmEtdG8tcmVxdWlyZS1jcHMtMjM0LWNvbXBsaWFuY2UtYXVkaXRzLWluLTIwMjEiLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9hcHJhLXRvLXJlcXVpcmUtY3BzLTIzNC1jb21wbGlhbmNlLWF1ZGl0cy1pbi0yMDIxIn0.0ty-geyfs2cCpnHWJ7a3nbl7OIl07apc8kcBlx8GXbM
    https://www.minterellison.com/articles/apra-to-require-cps-234-compliance-audits-in-2021

    Read Next

    Point of View: insights into key issues and challenges facing business today.

    In this series of interviews with MinterEllison partners we hear their perspective on key areas of interest to our clients and the business community.

    Watch now

    © 2025 MinterEllison