Significant cyber attacks “probably inevitable” according to APRA
(7 March 2018 – Australia) A significant cyber attack is “probably inevitable” according to the prudential regulator and financial institutions need to better their response efforts.
Australian Prudential Regulation Authority executive board member Geoff Summerhayes called into question insurers, superannuation funds and banks’ ability to respond effectively to the now “pervasive” and accelerating prudential risk of cyber attack.
“APRA is concerned that basic cyber hygiene is sometimes being neglected,” he said.
Mr Summerhayes speech comes a day after APRA released for consultation its first prudential standard on anti-cyber attacks. Under the proposed standard, boards will have to notify APRA within 24 hours of experiencing a “material information security incident”, reinforcing that “ultimate responsibility” lies with the board.
“Regulated entities will be expected to maintain sufficient information security capability to deal with changing vulnerabilities and threats, and continually test this for effectiveness,” Mr Summerhayes said.
Mandatory data breach reporting laws only came into effect in Australia in February, years after they were introduced in other countries.