APRA Expects Boards to Strengthen Ability to Oversee Cyber Resilience
The Australian Prudential Regulation Authority (APRA) recently completed two pilot initiatives in its 2020-2024 Cyber Security Strategy, which was published in November 2020. These pilots are a technology resilience data collection and an independent assessment of a pilot set of entities’ compliance with CPS 234, the prudential standard on information security. APRA is now publishing insights gained from the two pilots and from its supervisory activities. The insights reinforce APRA’s view that boards need to strengthen their ability to oversee cyber resilience.
APRA expects boards to have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues. The pilot independent CPS 234 assessment involved a small sample of banking, insurance, and superannuation entities undergoing an independent assessment against the requirements of CPS 234. The results of the two pilots, together with the outcomes of recent supervisory activities, led APRA to conclude that boards need to play a more active role in:
- Reviewing and challenging information reported by management on cyber resilience
- Ensuring their entities can recover from high-impact cyber-attacks (for example, ransomware)
- Ensuring information security controls are effective across the supply chain
APRA notes that it is ultimately the board’s responsibility to ensure that management is fully across the cyber threat they face and, where necessary, takes appropriate action to ensure its entity remains cyber resilient. Over the next couple of years, APRA will continue to roll out the CPS 234 independent assessment process for the remaining entities across the banking, superannuation and insurance industries. APRA intends to share relevant insights with industry from its data collection and other strategic initiatives on cyber security, with a view to lifting practices and enhancing cyber resilience throughout the financial sector.
Related Link: APRA Insights from Pilots
Keywords: Asia Pacific, Australia, Banking, Cyber Risk, CPS 234, Cyber Security Strategy, Governance, ESG, APRA
Previous Article
EIOPA Publishes Report on Use of Capital Add-Ons Under Solvency IIRelated Articles
OSFI Discusses Benchmark Rate Transition, Sets Out Work Priorities
The Office of the Superintendent of Financial Institutions (OSFI) published the strategic plan for 2022-2025 and the departmental plan for 2022-23.
EBA Proposes Standards to Support Secondary NPL Markets
The European Banking Authority (EBA) is consulting, until August 31, 2022, on the draft implementing technical standards specifying requirements for the information that sellers of non-performing loans (NPLs) shall provide to prospective buyers.
EU Confirms Agreement on Rules on Cybersecurity and Banking Resolution
The European Council and the Parliament reached an agreement on the revised Directive on security of network and information systems (NIS2 Directive).
EBA Issues Standards for Crowdfunding Service Providers Under ECSPR
The European Banking Authority (EBA) published the final draft regulatory technical standards specifying information that crowdfunding service providers shall provide to investors on the calculation of credit scores and prices of crowdfunding offers.
EU Confirms Agreement on Rules on Cybersecurity and Banking Resolution
The European Securities and Markets Authority (ESMA) published a paper that examines the systemic risk posed by increasing use of cloud services, along with the potential policy options to mitigate this risk.
EC Consults on PSD2 and Open Finance; EU Reaches Agreement on DORA
The European Commission (EC) published a public consultation on the review of revised payment services directive (PSD2) and open finance.
EC Mandates ESAs to Propose Amendments to SFDR Technical Standards
The European Commission (EC) has issued two letters mandating the European Supervisory Authorities (ESAs) to jointly propose amendments to the regulatory technical standards under Sustainable Finance Disclosure Regulation or SFDR.
EBA Examines Supervisory Practices, Issues Deposits Reporting Template
The European Banking Authority (EBA) published its annual report on convergence of supervisory practices for 2021. Additionally, following a request from the European Commission (EC),
SNB Updates NSFR Forms and FINMA Consults on Operational Risk Circular
The Swiss National Bank (SNB) published Version 1.2 of the reporting forms (NSFR_G and NSFR_P) on the net stable funding ratio (NSFR) of banks, along with the associated documentation.
US Agency Publications Address Basel, Reporting, and CECL Developments
The Farm Credit Administration published, in the Federal Register, the final rule on implementation of the Current Expected Credit Losses (CECL) methodology for allowances