Three areas where APRA would like to see improvement in board-oversight of cyber risk

Key takeouts

  • APRA has reiterated its expectation that boards adopt a proactive approach to oversight of cyber-risk.  The regulator has said that it expects boards to 'have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues'.
  • APRA considers boards need to be more proactive in the following three areas: 1) 'reviewing and challenging' management reports on cyber issues generally; 2) ensuring organisations are in a position to recover from cyber-attacks (including recovering lost data); and 3) ensuring the effectiveness of information security controls across the supply chain.

APRA calls on boards to step up their oversight of cyber risk

The Australian Prudential Regulation Authority (APRA) has released an article outlining its expectations of boards with respect to oversight of cyber-risk. The key message for boards is that:

'APRA expects boards to have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues'.

Further, APRA expects boards to adopt a proactive approach. APRA states that it is

'ultimately the board’s responsibility to ensure that management is fully across the cyber threat they face and, where necessary, takes appropriate action to ensure its entity remains cyber resilient'.

Three areas for improvement

APRA states that the insights gained from two pilot initiatives - a technology resilience data collection and an independent assessment of a pilot set of entities’ compliance with Prudential Standard CPS 234 Information Security - have served to 'reinforce APRA’s view that boards need to strengthen their ability to oversee cyber resilience' and 'play a more active role in' the following three areas.

1. Reviewing and challenging cyber information

APRA states that the CPS 234 assessment and other supervisory activities have identified two key issues of concern:

  • 'little evidence of boards actively reviewing and challenging the information that senior management has provided on cyber topics'
  • 'that management reporting on information security to the board is not fit-for-purpose and unlikely to facilitate meaningful discussion'.

APRA makes clear that boards are expected to 'regularly seek assurance from and as appropriate, challenge management the effectiveness of the information security controls'. APRA points boards towards Prudential Practice Guide CPG234 for guidance on its expectations around this, and also suggests a number of questions that may assist boards in this context. These include:

  • 'What are the information security vulnerabilities and threats faced by our entity?'
  • 'Is our entity’s current information security capability sufficient?'
  • 'What is the overall health of the entity’s information assets and the information security control environment?'
  • 'How much of the information security control environment is regularly tested?'
  • 'What are the most severe but plausible security compromise scenarios that management considers the entity cannot currently withstand?'

2. Resilience: Ensuring organisations are in position to recover from cyber attacks

APRA is concerned that some entities may not be in a position to recover critical data in the event of a ransomware attack or other 'high-impact cyber compromise'. For example, APRA states that the pilot data collection identified that:

  • 'more than one third' of respondents had not tested their backups for critical systems in the past 12 months; and
  • 22% of entities had not tested their cyber incident response plans in the past 12 months.

APRA calls on boards to 'regularly seek assurance in this area by communicating with management'. APRA suggests that the following questions may assist in this:

  • 'What backup and recovery testing has been conducted for critical information assets, and is the testing coverage sufficient?'
  • 'What plausible disruption scenarios have been considered and tested to ensure the backup and recovery capability is effective – including recovery from a successful ransomware attack where protection of backups is key?'

3. Ensuring the effectiveness of information security controls across the supply chain

APRA states that the results of its CPS 234 assessment and supervisory reviews demonstrate that entities are 'not applying sufficient rigour in testing the design and operating effectiveness of their service providers’ information security controls'.Among other things, APRA flags some entities' heavy reliance on self-assessments or surveys completed by their service providers (in the absence of independent verification of their effectiveness) as an area of concern. APRA considers that this is of particular relevance in light of the fact that cyber-attacks frequently target suppliers in order to identify a 'weak link'.

APRA called on boards 'to play a more active role in challenging management’s assumptions' around the effectiveness of security controls. APRA suggests that the following questions could assist in this context:

  • 'What controls are in place to protect our business and minimise customer impact when the information security of one (or more) of our suppliers is compromised?'
  • 'What blind spots do we have on the end-to-end supply chain of our business which could challenge our resilience to a cyber-attack?'

Next steps

APRA’s pilot CPS 234 assessment involved a small sample of banking, insurance and superannuation entities undergoing an independent assessment against CPS 234 requirements. APRA plans to continue to roll out the CPS 234 independent assessment to remaining APRA-regulated entities 'over the next couple of years' and to 'share relevant insights' with industry.

[Source: APRA media release 23/11/2021]