The prudential regulator wants boards to sharpen oversight of accountability for cyber breaches, finalising a new standard on “operational risk management” which seeks to fortify the financial sector from hacks such as the one that devastated Medibank Private.
In a new cross-industry policy covering banks, insurers and superannuation trustees, the Australian Prudential Regulation Authority said boards were ultimately accountable for operational risk. It wants companies to get on the front foot to reduce disruption for customers should systems go down.
“We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements,” APRA chairman John Lonsdale said on Monday.
The final standard, known as CPS 230, contains new requirements “to address identified weaknesses in existing controls” and to improve planning to ensure services can still be provided if computer systems are compromised. Companies will have to enhance risk management of third-party IT service providers.
The conclusion of the year-long process to settle the revised standard comes after hackers stole almost 10 million customer records from Medibank last year and released some information after demanding a ransom payment, raising concerns about cybersecurity defences in the financial services sector.
“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches,” Mr Lonsdale said.
“This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.”
APRA has extended the effective
Read more on afr.com