AST APRA Board Cyber Resilience Role

On Nov. 23, AST APRA discussed findings on boards' cyber approach.

  • AST APRA discussed the role of boards in cyber resilience and the results of its two recent pilot research initiatives as per its 2020-2024 cyber security strategy.
  • Follows AST APRA Nov. 2020, spoke at forum on cyber risks, strategy, see #91829.
  • Background
  • Covid and digital technology mean board cyber due diligence is more vital than ever.
  • Findings from technology resilience data collection and independent assessment of entities’ compliance with prudential standard CPS 234 found issues in this area.
  • Pilot technology resilience data collection surveyed regulated entities across banking, superannuation, insurance; CPS 234 assessment used small sample of same groups.
  • Covered resourcing, system health, information security, disaster recovery statistics.
  • Findings
  • Boards not actively reviewing and challenging information from senior management.
  • Management reporting on information security is often not fit-for-purpose.
  • Entities not regularly testing backups for critical systems or cyber incident response plans, rely on service provider security control, CPS 234 testing self-assessment.
  • Boards must better oversee cyber resilience for management to take correct action.
  • Next Steps
  • AST APRA will continue to roll out CPS 234 independent assessment process for the remaining entities across the banking, superannuation and insurance industries.

Regulators AST APRA
Entity Types Bank
Reference PR, 11/23/2021; CPS 234; Cyber
Functions Compliance; C-Suite; Financial; Legal; Outsourcing; Registration/Licensing; Reporting; Risk; Technology; Treasury
Countries Australia
Products Banking; Corporate
Regions AP
Rule Type Guidance
Rule Date 11/23/2021
Effective Date 11/23/2021
Rule Id 122124
Linked to Rule :91829
Reg. Last Update 11/23/2021
Report Section International

Last substantive update on 11/24/2021