APRA targets cybersecurity gaps with new guidance
APRA targets cybersecurity gaps with new guidance | Insurance Business Australia
Cyber
APRA targets cybersecurity gaps with new guidance
Common cyber weaknesses in financial sector unveiled
Cyber
By
Roxanne Libatique
The Australian Prudential Regulation Authority (APRA) has released updated guidance to its regulated entities, focusing on prevalent cybersecurity control weaknesses.
Common cyber control weaknesses in Australian financial sector
The recent guidance highlights common deficiencies observed in three key areas:
configuration management
privileged access management
security testing
See LinkedIn post here.
How to address cyber weaknesses in Australian financial sector
APRA’s recommendations emphasise the need for secure and regularly updated configurations for IT assets, particularly as new vulnerabilities emerge.
Entities are advised to implement strong change management practices to maintain consistent security configurations, in line with the principles outlined in the Prudential Practice Guide CPG 234 Information Security (CPG 234).
In the realm of privileged access management, APRA underscored the importance of maintaining accurate records of all privileged accounts and ensuring that access to critical systems is strictly controlled and based on valid business needs. Additionally, the guidance highlights the necessity of using secure methods to store and protect access credentials.
The regulator also pointed out that many entities have limited their security testing to a narrow range of IT assets, which may leave other areas vulnerable. It advised a more expansive approach to security testing that includes a variety of methodologies, consistent with current industry standards.
Entities are further reminded that any cybersecurity gaps that could significantly impact their risk profile should be reported under paragraph 36 of CPS 234.
APRA continues to advocate for regular self-assessments, encouraging entities to follow best practices as detailed in CPG 234 and to adopt mitigation strategies from frameworks like the Essential Eight.
APRA said it will continue to provide insights and support to help entities address vulnerabilities and enhance their cybersecurity measures. It has invited entities with questions about the guidance to reach out to their assigned supervisor for further assistance.
Related Stories
Keep up with the latest news and events
Join our mailing list, it’s free!