A large-scale cyber security assessment of Australia’s finance sector continues to uncover weaknesses in the way third parties handle data and meet security standards.
The assessment will ultimately cover “more than 300 banks, insurers and superannuation trustees” by the end of 2023 and is billed as “the largest study of its kind to be conducted by APRA.”
APRA has so far assessed one quarter of these, and the results are largely similar to a smaller sample it assessed back in 2021.
That is, supply chain security continues to be an issue for the finance sector, as does having incident response plans that test “plausible disruption scenarios”.
The majority of the findings deal with supply chain risk.
APRA said that information assets managed by third parties “are not fully identified and classified and, in some cases, not identified at all”.
“Without proper identification and classification, it can be difficult for entities to determine the appropriate information security controls to protect critical and sensitive data from unauthorised access or disclosure,” APRA said.
With “more and more entities… relying on service providers to manage critical systems”, APRA said there's a need for better assurance of providers’ information security controls.
APRA was unsatisfied with the depth of assessments of providers’ controls, and noted some weren’t being independently assessed at all.
Where controls are independently assessed, the APRA found that “in some cases, internal auditors performing control testing lack the necessary information security skills.”
APRA is also meant to be notified of any security incidents or weaknesses that are identified.
However, it found that “contracts with critical third parties do not contain the requirement to report material incidents and control weaknesses to APRA".
Outside of supply chain risks, APRA also raised concerns that incident response plans were still built around mostly implausible scenarios, or did not test widely enough.
In the pilot back in 2021, APRA was worried the finance sector was unprepared for ransomware incident response.
It now wants to see a much broader range of scenarios being tested, including data breach, credential compromise, denial-of-service attacks, “hack of an internet-facing platform”, and “compromise by an advanced persistent threat”.
APRA said that it typically “intensifies its supervisory oversight” in areas where it identifies gaps in compliance.