Australian Prudential Regulation Authority chair John Lonsdale has put the finance industry on notice about non-compliance with information security standard CPS 234.
The standard took effect in July 2019 and intends to ensure that APRA-regulated entities can withstand cyberattacks and other security threats.
In a speech at a Financial Services Institute of Australasia event in Sydney, Lonsdale said that APRA has lost patience with non-complying entities.
"Three years ago, APRA’s information security standard CPS 234 came into force, and yet many entities are still struggling with foundational issues: ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans," Lonsdale said.
"With the potential for serious impact to millions of Australians, our patience has run out."
"Where an entity is found to be significantly wanting in its cyber preparedness, we are intensifying supervision, insisting upon remediation plans and taking enforcement action such as capital overlays and potentially license conditions."
Lonsdale also said that APRA-regulated entities can start preparing for compliance with CPS 230, which takes effect on 1 July 2025 and aims to ensure entities are resilient to operational risks and disruptions.
"[CPS 230] will help entities to understand and manage the risks across their operational value chain, especially those associated with providing essential services to customers," he said.
"Although the new standard isn’t in place for another 18 months, there are things entities can do now."
"Mapping out critical operations and identifying material service providers is a practical initial step, as is building organisational awareness."
"APRA will continue to work closely with entities to prepare them for the implementation of the standard and will issue additional guidance early next year."
_page-0001.jpg&w=100&c=1&s=0)
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
