APRA getting serious on cyber
CRN reports that APRA is losing patience with regulated entities:
"Three years ago, APRA’s information security standard CPS 234 came into force, and yet many entities are still struggling with foundational issues: ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans," APRA Chair Lonsdale said.
"With the potential for serious impact to millions of Australians, our patience has run out."
Don’t forget that APRA not only focuses on regulated entities such as banks, insurers and superannuation companies, but also on the suppliers of material services to these entities.
In July, APRA also announced the new standard “CPS 230 Operational Risk Management”.
Chair John Lonsdale said “We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements. There will be a transition phase for existing contractual arrangements with material service providers for entities that need some flexibility.”