Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Australia: APRA issues guidance on common cyber control weaknesses
On August 15, 2024, the Australian Prudential Regulation Authority (APRA) issued a letter to all regulated entities, providing guidance on common cyber control weaknesses. The letter emphasizes the importance of maintaining strong cyber defenses across the banking, superannuation, and insurance industries. The letter highlights that in light of the evolving cyber threat landscape, entities must remain vigilant and proactively address weaknesses in their cyber control environments.
Key areas of concern
The letter identifies the following primary areas where common cyber control weaknesses have been observed:
- Configuration management: inconsistent application and maintenance of security configurations leave IT assets vulnerable. The letter recommends regular updates and strict adherence to security baselines.
- Privileged access management: many entities lack complete records of privileged accounts and fail to restrict access based on valid business needs.
- Security testing: security testing is often insufficient, with limited coverage and outdated methods. The letter recommends a comprehensive testing approach that includes vulnerability scans, penetration tests, and red-team exercises.
Recommendations
The letter advises regulated entities to review their control environments against identified weaknesses and address any gaps that could materially impact the entity’s risk profile or financial soundness. The letter noted that if such gaps are identified, they may constitute a material security control weakness, which is notifiable under CPS 234 Information Security.
The letter also encourages entities to conduct regular self-assessments aligned with the Prudential Practice Guide CPG 234 Information Security and to adopt mitigation strategies from established frameworks like the Essential Eight. Finally, the letter includes an appendix that provides a summary of the identified weaknesses and relevant guidance from APRA's prudential framework.