Blog post -

Australian Prudential Regulation Authority (APRA) updates four-year plan

by Joss Howard, Senior Advisor, NCC Group

2020 has been a tumultuous year for all, the Australian Prudential Regulation Authority (APRA) included. This week they released an update of their four year plan, acknowledging the significant impact of not only COVID-19, but also the devastating bushfires and storms that occurred since their last plan.

APRA has a new focus on what they dub ‘immediate priorities’ for the next 12-18 months when the future and economy is still adjusting to the new normal. APRA is cognisant that it plays an important role in protecting the financial wellbeing of the Australian community in these times of unprecedented adversity. It has been necessary for APRA to rapidly adapt to a volatile external environment and respond as events unfold in close coordination with Government, peer regulators and industry,” Wayne Byres stated in his Chair’s Foreword.

In the longer term, APRA’s 2020-2024 Corporate Plan continues its commitment to delivering four key community outcomes:

  • maintaining financial sector resilience;
  • improving outcomes for superannuation members;
  • transforming governance, culture, remuneration and accountability across all regulated institutions; and
  • improving cyber resilience across the financial system.

In relation to the last outcome APRA recognised that, Cyber-attacks are increasing in frequency, sophistication and impact both domestically and globally. All indications are that the risk will continue to grow, requiring a continuous cycle of investment in sound practices.”

Building on the release of their CPS 234 Information Security standard (NCC Group’s CPS 234 on-demand webinar can be viewed here), they have been developing their 2020-2024 Cyber Security Strategy. APRA says that it plans to expand its cyber approach by applying a broader set of tools and techniques across the industry. It’s also expected the strategy will broaden its scope to include the broader eco-system of suppliers and providers that financial institutions rely upon, like it has done in the second phase of CPS 234.

The Plan went on to state that the end-state of cyber security is still unclear, there are a number of actions that can be taken to limit the impact of cyber incidents in the community. Over the longer-term, APRA will:

  • establish a baseline of cyber controls by reinforcing embedding of non-negotiable cyber practices, facilitating sharing of relevant and timely cyber information and enabling effective incident response for the financial system;
  • enable the Board and executives of financial institutions to oversee and direct correction of cyber exposures by formulating sound practice guidance and stepping up APRA’s scrutiny of cyber oversight practices;
  • identify and focus on work to address weak links within the broader financial eco-system and supply chain by fostering maturation of provider cyber-assessment and assurance and harmonising the regulation and supervision of cyber across the financial system; and
  • innovate using impactful regulatory tools and approaches by actively harmonising regulatory cyber efforts and dialling-up supervision scrutiny and intensity.

What does this mean for the financial services industry and its suppliers? 

We expect that organisations will get notification of new prudential standards from APRA in the near-mid future, and for APRA to be firmer in their scrutiny and supervision of entities cyber resilience. APRA has clearly stated that it will “establish a baseline of cyber controls by reinforcing embedding of non-negotiable cyber-practices.

It goes without saying that cyber-risks have increased due to the escalation in working from home, cloud usage for anywhere services (which may present data privacy and sovereignty issues) and APRA acknowledge these risks in their plan.

It is therefore, very important for businesses to remain agile, focused on reducing their internal and external cyber-risk, especially in supply chains. Boards need senior management to ensure that they are well-informed of any changes so that the business takes the appropriate action.

While this is a challenge during this current time, compliance with any new regulations, protecting member information and implementing robust controls is a priority for the safety of the business, its customers and the finance industry.

You can view the full plan on APRA’s website here

Topics

  • Consulting

Contacts

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

Implementing APRA’s CPS 234 Prudential Standard

APRA first announced the prudential standard in March 2018. The required entities (as defined by APRA) need to comply with the standard by July 1, 2019. Further, the suppliers of APRA regulated entities are also required to comply with the standard by July 1, 2020.

As the cyber attack against Australia ramps up, it's time to take action

Prime Minister Scott Morrison has formally addressed Australia this morning, stating that our organisations are being targeted by a sophisticated state-based actor. The Government have attributed the ongoing malicious activity to a nation state actor because of the scale and nature of the targeting and the tradecraft being used. [1]
As stated, this activity is not new but increasing. NCC Group

UK PRA publishes rules for outsourcing and third-party risk management

This week, the UK’s Prudential Regulation Authority (PRA) published rules on outsourcing and third-party risk management. Following on from our ‘Spotlight on’ piece, our global managing director – software resilience at NCC Group, Simon Fieldhouse, reacts to this news.

Five questions you should be asking about your business’ cyber resilience

Joss Howard, senior advisor at NCC Group shares the five questions she thinks businesses should be asking themselves in order to build a robust cyber security posture.

Cloud Responsibility: webinar questions answered

Whose responsibility is the security of your company's cloud environment? Is it you? The service provider? We answered all these questions in a recent webinar, Full Speed into the Cloud: but where does the responsibility lie?, and have compiled the answers here for you.