Early findings from an expansive Australian Prudential Regulation Authority (APRA) study on cyber resilience in financial services shows there is a need to raise the bar, with APRA rigorously targeting areas of non-compliance.

Further, APRA have been clear in stating that where gaps are identified and breach reporting is undertaken, they will intensify their supervisory oversight to help to ensure entities remediate cyber resilience deficiencies and meet their CPS 234 obligations.

Of interest to us at RedBelts was that one of the most common control gaps identified in the study was Information security controls of third parties.

 
APRA rightfully observed that achieving sufficient assurance of information security controls operated by third-party service providers is a common challenge. This is a concern as more and more entities are relying on service providers to manage critical systems.

The below identified areas to identify gaps all have for some time formed part of RedBelts proprietary third party risk management solution. These include:

1. Understanding which information assets are managed by third parties and use this to determine the level of rigour required in testing;
2. Understanding the controls that the third parties have in place;
3. Testing third party control effectiveness through a combination of interviews, surveys, control testing, certifications, contractual reviews, attestations, referrals and independent assurance assessments; and
4. Ensuring any capability gaps identified are addressed in a timely manner.

RedBelts couldn’t be more aligned with APRA’s position in encouraging every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies.

If you are interested in knowing more, get in touch with us.