The regulation authority is seeking feedback on it’s cross-industry practice guide which would replace the existing management of security risk guide.
The updated guide has been developed to help the industry embed the new cross-industry prudential standard which comes into effect in July this year.
It also provides guidance on addressing common security weaknesses that have been observed by APRA through its activities within the industry.
The guide is aimed at boards and management and outlines how regulated entities can maintain information security capabilities commensurate with the size and complexity of their business and sensitivity of their data.
The last time the guide was updated was in 2012 and APRA’s executive board member Geoff Summerhayes said the landscape had changed dramatically since then.
“Australia’s banks, insurers and superannuation funds are major targets of cybercrime, and the risk is accelerating as attackers gain in skill and technological sophistication.
“Unfortunately, it is only a matter of time until a significant cyber breach occurs at an Australian financial institution,” Mr Summerhayes said.
In fact, according to the Office of the Australian Information Commissioner, there were 40 notifications of data breaches in the financial industry during the fourth quarter of 2018.
The OAIC revealed that the biggest source of data breaches in the industry were from malicious or criminal attack, accounting 70 per cent of the data breaches.
Mr Summerhayes said that due to the possibility of breaches, the implementation of the standard had been fast-tracked with the updated guide to assist the industry.
“This updated guide will assist industry to implement the requirements of the standard, recognising that not every entity has the same resources or expertise.
“The guide remains principles-based but is sufficiently prescriptive to help those entities that want more specific direction on meeting their obligations,” he said.
APRA will review industry feedback after an eight-week consultation and will release the final version of the guide prior to the implementation in July.
