Banks, insurance companies, and other financial services providers remain inadequately protected against cyber security breaches despite years of guidance about how to improve, a compliance audit by Australian Prudential Regulation Authority (APRA) has found.

APRA’s rolling “cyber security stocktake” – which the agency called “the largest study of its kind” – is evaluating compliance with CPS 234, an industry mandate that was implemented in July 2019 and requires APRA regulated entities to improve cyber security resilience by “maintaining an information security capability commensurate with information security vulnerabilities and threats.”

Four years on – and with around a quarter of what will ultimately be more than 300 organisational audits now complete – things aren’t looking good.

As was found during a small 2021 pilot program, APRA’s larger review of entities’ cyber security controls identified “several concerning gaps across the industry – including six main deficiencies.

Problems included incomplete inventories of “critical and sensitive information assets” and “limited” control of third-party information security capabilities.

Many organisations are still not reviewing the cyber security practices of business partners and suppliers in their supply chains – and even where such reviews were conducted, APRA found, many firms had failed to prioritise the testing of third parties’ critical and sensitive information assets.

Many entities are also failing to review and test their incident response plans, APRA noted, with “inadequate definition and execution” of such programs leaving them clueless about what to do when they are breached.

The audit also found that many companies failed to review their information security controls, leaving many users with inappropriate systems access policies that can be exploited by cyber criminals.

Others had also failed to test their physical security controls and policies to prevent data loss – and even after being breached, many had failed to report “material incidents” to APRA as quickly as they are required to.

“APRA encourages every entity to review the common weaknesses outlined, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies,” the regulator noted as it continues a four-year Cyber Security Strategy focused on increasing boards of directors’ cyber practices.

Great expectations, lesser reality

Four years after CPS 234 came into effect, the fact that highly regulated financial services providers are still struggling to meet cyber security expectations – and that many have not even implemented many of the regulation’s core requirements – highlights the persistent gulf between cyber security best practice and reality.

Cyber security shortcomings have contributed to ongoing compromises of financial services providers, with finance organisations flagged as the second most-compromised industry sector in the latest data breach statistics from the Office of the Australian Information Commissioner (OAIC).

Yet failure to meet expectations is hardly limited to financial services providers: despite significant investments in cyber security and clear guidance about how to improve, organisations like Australia Post and Transport for NSW failed recent cyber security audits.

After reviewing cyber security practices at a range of non-corporate Commonwealth Government entities, the Australian National Audit Office (ANAO) recently reported “ongoing low levels of cyber resilience… and high rates of non-compliance with Policy 10 requirements”.

Despite offering clear guidance about how public-sector organisations should improve their cyber security practices, one recent audit found that 76 per cent of entities had not fully implemented the guidance of Protective Security Policy Framework (PSPF) Policy 10, whose recommendations include implementation of the Essential Eight cyber security mitigation strategies.

Recognising that many organisations still don’t understand how to translate best-practice guidance into better cyber security, the Australian Cyber Security Centre (ACSC) this month partnered with TAFEcyber to deliver a three-day Essential Eight Assessment Course designed to help companies finally get with the program.

The goals of the course include delivering a “broad understanding” of the Essential Eight Maturity Model, TAFEcyber explains, and ensuring that “consistent methodologies are used in the assessment of an organisation’s maturity against the model.”

Similarly, APRA – which is currently conducting the second and third tranches of its audit program and will run the fourth and final tranche later this year – wants to help regulated companies fill in the many gaps in their security strategies.

The regulator “will continue to work with those entities that do not sufficiently meet CPS 234 requirements,” it said, “and will further engage with the industry to lift the benchmark for cyber resilience.”