APRA Expects Boards to Strengthen Ability to Oversee Cyber Resilience

APRA expects boards to have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues. The pilot independent CPS 234 assessment involved a small sample of banking, insurance, and superannuation entities undergoing an independent assessment against the requirements of CPS 234. The results of the two pilots, together with the outcomes of recent supervisory activities, led APRA to conclude that boards need to play a more active role in: 

• Reviewing and challenging information reported by management on cyber resilience
• Ensuring their entities can recover from high-impact cyber-attacks (for example, ransomware)
• Ensuring information security controls are effective across the supply chain

APRA notes that it is ultimately the board’s responsibility to ensure that management is fully across the cyber threat they face and, where necessary, takes appropriate action to ensure its entity remains cyber resilient. Over the next couple of years, APRA will continue to roll out the CPS 234 independent assessment process for the remaining entities across the banking, superannuation and insurance industries. APRA intends to share relevant insights with industry from its data collection and other strategic initiatives on cyber security, with a view to lifting practices and enhancing cyber resilience throughout the financial sector.

Related Link: APRA Insights from Pilots

Keywords: Asia Pacific, Australia, Banking, Cyber Risk, CPS 234, Cyber Security Strategy, Governance, ESG, APRA