APRA targets cybersecurity gaps with new guidance

APRA targets cybersecurity gaps with new guidance

APRA targets cybersecurity gaps with new guidance | Insurance Business Australia

Cyber

APRA targets cybersecurity gaps with new guidance

Common cyber weaknesses in financial sector unveiled

Cyber

By
Roxanne Libatique

The Australian Prudential Regulation Authority (APRA) has released updated guidance to its regulated entities, focusing on prevalent cybersecurity control weaknesses.

Common cyber control weaknesses in Australian financial sector

The recent guidance highlights common deficiencies observed in three key areas:


configuration management
privileged access management
security testing

See LinkedIn post here.

How to address cyber weaknesses in Australian financial sector

APRA’s recommendations emphasise the need for secure and regularly updated configurations for IT assets, particularly as new vulnerabilities emerge.

Entities are advised to implement strong change management practices to maintain consistent security configurations, in line with the principles outlined in the Prudential Practice Guide CPG 234 Information Security (CPG 234).

In the realm of privileged access management, APRA underscored the importance of maintaining accurate records of all privileged accounts and ensuring that access to critical systems is strictly controlled and based on valid business needs. Additionally, the guidance highlights the necessity of using secure methods to store and protect access credentials.

The regulator also pointed out that many entities have limited their security testing to a narrow range of IT assets, which may leave other areas vulnerable. It advised a more expansive approach to security testing that includes a variety of methodologies, consistent with current industry standards.

Entities are further reminded that any cybersecurity gaps that could significantly impact their risk profile should be reported under paragraph 36 of CPS 234.

See also  Gallagher releases financials for Q1

APRA continues to advocate for regular self-assessments, encouraging entities to follow best practices as detailed in CPG 234 and to adopt mitigation strategies from frameworks like the Essential Eight.

APRA said it will continue to provide insights and support to help entities address vulnerabilities and enhance their cybersecurity measures. It has invited entities with questions about the guidance to reach out to their assigned supervisor for further assistance.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!