APRA proposes new security standards for banks

In light of the probable inevitability of a major Australian financial institution, the Australian Prudential Regulatory Authority (APRA) is developing new standards and legal requirements for regulated entities.

APRA is the regulatory authority for Australian financial institutions, including banks, insurers and most members of the superannuation industry.

The regulator’s executive board member, Geoff Summerhayes, yesterday gave a presentation to the Insurance Council of Australia Annual Forum introducing its new guidelines. During his speech, Summerhayes noted that Australian financial institutions are among the top global targets for cybercriminals.

“Australia is targeted due to its relative wealth and take-up of digital technologies, while financial institutions are attractive to criminals seeking money or personally identifiable information on customers — something insurers hold in spades,” he said.

APRA research in 2016 meanwhile found that more than half of its members had experienced at least one breach in the previous 12 months that was sufficiently serious to warrant alerting executive management.

Cyber risk is accordingly an increasingly serious threat to Australian institutions, and the regulator can easily envision “a scenario in which a cyber breach could potentially damage an entity so badly that it is forced out of business,” Summerhayes said. This scenario is currently considered a remote but very real possibility.

The regulator has therefore commenced a public consultation on a proposed new cross-industry standard that would be APRA’s first prudential standard on information security.

The standard would require regulated entities to maintain sufficient information security capability to deal with changing vulnerabilities and threats, and to detect and respond in a timely manner. This would involve a requirement to notify APRA within 24 hours of experiencing a material cybersecurity incident.

“Despite APRA’s broad satisfaction with industry’s approach to cybersecurity to date, there is absolutely no room for complacency. We expect all entities will need to lift their efforts to comply with the new standard,” Summerhayes said.

“Once the standard is in place, APRA will start assessing compliance through our normal supervisory processes, and will consider requesting formal independent audits of compliance in due course.”

Image credit: ©stock.adobe.com/au/robsonphoto

Follow us and share on Twitter and Facebook