We outline the latest announcements from APRA and ASIC 

As previously reported, following a record year for consumer scam losses, regulators, have stepped up their focus on scam prevention. Likewise, the government and the Australian Banking Association have recently announced new anti-scam measures (see: Combatting online scams: Government and the banking sector announce new measures).

Regulatory focus on the issue continues this week, with the Australian Prudential Regulation Authority (APRA) calling on the banking, insurance and superannuation sectors to review their use of multi-factor authentication.

APRA flags gaps in current approach to multi-factor authentication, calls on regulated entities to review their approach

APRA has written to APRA-regulated entities underlining the importance of using multi-factor authentication (MFA), one of the Essential 8 mitigation strategies, to protect against cyber threats.

APRA states that MFA is

'one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network'

The letter outlines APRA’s observations on 'gaps in the implementation of MFA across its regulated industries'. In particular, the letter flags that APRA has:

'noted examples where MFA for customers has been deployed on an opt-in basis, or where exceptions have been granted for customers without mobile phones or located in areas without reliable phone reception. Other examples include remote access being provided for third-party staff without associated MFA'.

The letter makes clear that APRA

'expects APRA-regulated entities to review the coverage of MFA in their operating and technology environments. Where gaps in the coverage of MFA have the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers, APRA would consider this to be a material security control weakness, and under paragraph 36 of CPS 234 require an entity to notify APRA' [emphasis added]

The letter directs entities to refer to Prudential Standard CPS 234 Information Security (and accompanying guidance) for more information on APRA's expectations in this area.

APRA adds that it plans to review CPS 234 'to clarify our expectations on information security controls and provide additional guidance for industry' (though no specific timeframe is given for this).

ASIC to roll out Cyber Pulse Survey

Separately, the Australian Securities and Investments Commission (ASIC) has said it will conduct a survey gauging the strength of regulated entities' cyber capabilities/cyber resilience. Specifically, the survey is intended to help organisations to assess their ability to:

  • govern and manage organisational-wide cyber risks
  • identify and protect information assets that support critical business services
  • detect, respond to, and recover from cyber security incidents.

ASIC says that the multiple choice survey is 'suitable for ASIC-regulated entities of all sizes and sectors' and that participation will be voluntary. ASIC also assures those who choose to participate that:

'all information collected will be anonymous and cannot be used against you in regulatory or enforcement action'.

On completion of the survey, survey participants will have the option to receive an individual report providing

'insights into how you assess your organisation’s current cyber resilience capability compared to your industry peers'.

ASIC also plans to publish a report on the key findings, which is expected to provide sectoral insights, and highlight better practices and areas for improvement.

[Source: ASIC Market Integrity Update Issue 148 25/05/2023; APRA letter to industry 26/05/2023]