The Australian Prudential Regulation Authority (APRA) says insurers and other financial institutions need to lift their cyber-security efforts to comply with a new standard.
Executive Member Geoff Summerhayes says Australia is the No.1 Asia-Pacific target for malicious software, and a significant incident affecting a regulated group is probably inevitable.
“A sense of urgency is paramount given the scale of the threat and the speed with which it’s evolving as the digital world expands,” he told the Insurance Council of Australia Annual Forum. “The challenge requires ongoing vigilance, improvement, investment and oversight because, though this race has no finish line, it’s not a contest you can afford to lose.”
APRA has released a draft of information security prudential standard CPS 234 for consultation, and expects it will be finalised in November and take effect from July next year.
Mr Summerhayes says the regulator is generally satisfied with the industry’s approach to cyber security, but there is no room for complacency.
“No APRA-regulated entity has suffered a significant loss due to a cyber incident, but that’s not for want of trying by cyber criminals,” he said.
“Many institutions overseas have not been so fortunate.”
The standard will reinforce the fact boards have ultimate responsibility for information security and entities should be able to safeguard against threats and detect and respond to incidents in a timely way.
It requires APRA to be notified of any material incident within 24 hours.
Mr Summerhayes says the regulator is also monitoring risks from the use of algorithms in financial services, amid the rise of advanced data analytics and the Internet of Things.
“With their design unknown to most employees and their working largely invisible to both entities and their customers, any flaws in an algorithm’s functioning or conclusions may not be easily identified and addressed,” he said.