The Australian Prudential Regulation Authority (APRA) has said that information reporting over cyber security “is not fit-for-purpose” as it stressed that boards adopt a proactive approach to oversight of cyber-risk.
The regulator said that it expects boards to “have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues”.
APRA considers boards need to be more proactive in the following three areas:
- reviewing and challenging management reports on cyber issues generally
- ensuring organisations are in a position to recover from cyber-attacks (including recovering lost data
- ensuring the effectiveness of information security controls across the supply chain
APRA stated that it is “ultimately the board’s responsibility to ensure that management is fully across the cyber threat they face and, where necessary, takes appropriate action to ensure its entity remains cyber resilient”.
The regulator added that the insights gained from two pilot initiatives – a technology resilience data collection and an independent assessment of a pilot set of entities’ compliance with Prudential Standard CPS 234 Information Security – have served to reinforce its view that boards need to strengthen their ability to oversee cyber resilience.
APRA also said that boards need to play a more active role when it comes to
reviewing and challenging cyber information.
Perhaps even more worryingly the regulator identified two key issues of concern, noting that there was “little evidence of boards actively reviewing and challenging the information that senior management has provided on cyber topics”.
It also said that management reporting on information security to the board “is not fit-for-purpose and unlikely to facilitate meaningful discussion”.
APRA’s pilot CPS 234 assessment involved a small sample of banking, insurance and superannuation entities undergoing an independent assessment against CPS 234 requirements.
APRA plans to continue to roll out the CPS 234 independent assessment to remaining APRA-regulated entities over the next couple of years and to share relevant insights with industry.