Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Australia: APRA issues guidance on common cyber control weaknesses

On August 15, 2024, the Australian Prudential Regulation Authority (APRA) issued a letter to all regulated entities, providing guidance on common cyber control weaknesses. The letter emphasizes the importance of maintaining strong cyber defenses across the banking, superannuation, and insurance industries. The letter highlights that in light of the evolving cyber threat landscape, entities must remain vigilant and proactively address weaknesses in their cyber control environments.

Key areas of concern

The letter identifies the following primary areas where common cyber control weaknesses have been observed:

  • Configuration management: inconsistent application and maintenance of security configurations leave IT assets vulnerable. The letter recommends regular updates and strict adherence to security baselines.
  • Privileged access management: many entities lack complete records of privileged accounts and fail to restrict access based on valid business needs.
  • Security testing: security testing is often insufficient, with limited coverage and outdated methods. The letter recommends a comprehensive testing approach that includes vulnerability scans, penetration tests, and red-team exercises.

Recommendations

The letter advises regulated entities to review their control environments against identified weaknesses and address any gaps that could materially impact the entity’s risk profile or financial soundness. The letter noted that if such gaps are identified, they may constitute a material security control weakness, which is notifiable under CPS 234 Information Security.

The letter also encourages entities to conduct regular self-assessments aligned with the Prudential Practice Guide CPG 234 Information Security and to adopt mitigation strategies from established frameworks like the Essential Eight. Finally, the letter includes an appendix that provides a summary of the identified weaknesses and relevant guidance from APRA's prudential framework.

You can read the press release here, and the letter here.