Government review exhorts APRA to boost IT risk and cyber capability

APRA has been urged to uplift its IT risk and cyber assessment capabilities, with the Federal Government’s Capability Review revealing that chronic under-resourcing has hampered the prudential regulator's ability to manage digital disruption and increasing cyber threats facing the financial services industry.
 

The Treasury’s Capability Review, a key recommendation of the Hayne Royal Commission, found the regulator ill-equipped to respond to the “volume, scope and pace of change” in the financial services technology.

The Capability Review panel, chaired by Graeme Samuel, acknowledged the challenge posed to long-standing operating models – from which APRA continues to benchmark its regulatory scope – by technology-enabled businesses (known otherwise as fintechs), whilst also recognising the regulator’s limited capacity to monitor data flows beyond its “perimeter”, with FSIs increasingly farming out their data to third-party service providers (including cloud vendors).

As part of the Treasury review process, APRA’s staff were surveyed on a range of concerns impacting their regulatory enforcement capabilities. In one count, less than half (43 per cent) of all respondents considered the watchdog well positioned to identify “material issues” with FSI’s operational resilience.

The Review panel found staff hampered by a number of structural and resourcing issues within the regulator, including a “piecemeal and limited” prudential review schedule, unexplained delays in assisting FSIs with cloud and systems migration compliance, “variable confidence” across frontline teams to engage with IT risk, and no prudential standard for data management.

The Review also highlighted the distinct lack of IT risk and cyber specialists within APRA’s retinue, “[limiting its] scope for in-depth forward-looking research” to mitigate risk. Curiously, the regulator maintains just nine dedicated IT risk (including cyber) staff, with comparable regulators were estimated to have between 30 and 49 dedicated specialists, the Review panel found.

Moreover, despite a 2018 update to its Cyber Risk Strategy, the panel found that APRA still does not have a formal cyber incident response plan or a routine data collection process.

Whilst acknowledging APRA’s efforts to improve the industry’s cyber resilience and threat resistance, the panel stressed that the watchdog still lags its leading peers.

“Internationally, prudential regulators identify cyber-risk as a top-tier priority. It is recognised as a challenging and rapidly developing area. The prudential regulators leading in this area have taken steps, including coordinating penetration testing, facilitation of industry information sharing, setting minimum ‘hygiene’ standards for industry and developing incident response protocols,” the panel said in its report.

These capabilities, the Panel tacitly acknowledged, remain distinctly lacking in APRA's existing cyber risk management capability. 

Review authors also urged APRA to take on a greater leadership role to bolster the financial sector’s cyber defences and efforts to extend this at a “national level”, whilst stressing that the no watchdog can or should be expected to prevent cyberattacks.

Recognising the limitations of building a cyber risk capability internally, due to the overwhelming scale and mandate of APRA, the panel urged the regulator to seek outside help, “[building] strong allegiances with public and private sector experts, other regulators and financial firms to augment its internal capacity and to collaborate on ways to strengthen the cyber resilience of APRA’s regulated sectors.”

APRA offered only brief responses to the panel's recommendations, saying that while it supported the panel’s advice to boost cyber resilience, additional resources would be needed to achieve this.

The regulator nevertheless appeared keen to embrace greater collaboration and partnerships cross-sector to bolster IT risk capacity and capability, stating it is in the process of “developing a cyber and technology strategy that includes building strong allegiances with public and private sector experts.”