The Australian Prudential Regulation Authority (APRA) has released updated guidance to its regulated entities, focusing on prevalent cybersecurity control weaknesses.
This advisory is part of APRA’s broader initiative to strengthen cyber resilience across the financial services sector as cyber threats continue to plague the country.
The recent guidance highlights common deficiencies observed in three key areas:
See LinkedIn post here.
APRA expects regulated entities to assess their cybersecurity frameworks in light of these identified issues and address any gaps that might affect their risk profile or overall security posture.
APRA’s recommendations emphasise the need for secure and regularly updated configurations for IT assets, particularly as new vulnerabilities emerge.
Entities are advised to implement strong change management practices to maintain consistent security configurations, in line with the principles outlined in the Prudential Practice Guide CPG 234 Information Security (CPG 234).
In the realm of privileged access management, APRA underscored the importance of maintaining accurate records of all privileged accounts and ensuring that access to critical systems is strictly controlled and based on valid business needs. Additionally, the guidance highlights the necessity of using secure methods to store and protect access credentials.
The regulator also pointed out that many entities have limited their security testing to a narrow range of IT assets, which may leave other areas vulnerable. It advised a more expansive approach to security testing that includes a variety of methodologies, consistent with current industry standards.
Entities are further reminded that any cybersecurity gaps that could significantly impact their risk profile should be reported under paragraph 36 of CPS 234.
APRA continues to advocate for regular self-assessments, encouraging entities to follow best practices as detailed in CPG 234 and to adopt mitigation strategies from frameworks like the Essential Eight.
The latest guidance reaffirms APRA’s ongoing focus on bolstering the cyber resilience of the financial sector. It follows the regulator’s earlier communications about data backup security.
APRA said it will continue to provide insights and support to help entities address vulnerabilities and enhance their cybersecurity measures. It has invited entities with questions about the guidance to reach out to their assigned supervisor for further assistance.
