Tag: Report 429

1
APRA raising the bar on Cybersecurity
2
Cybersecurity Risk Management – Financial Services Entities Required to Act
3
Cyber Resilience for Financial Services Entities

APRA raising the bar on Cybersecurity

By Jim Bulling

At the Association of Superannuation Funds of Australia (ASFA) conference held in Brisbane in the last week of November, Stephen Glenfield, APRA’s General Manager of the South West region indicated that an area of significant interest for APRA during 2016 would be the extent to which superannuation funds were prepared for cybersecurity risks.

Mr Glenfield indicated that APRA would be conducting a thematic review of superannuation funds during 2016 which was designed to provide APRA with much more detailed information about the processes that superannuation fund trustees were putting in place to protect their funds and their members from cybersecurity breaches.

As thematic reviews carried out by APRA are usually precursors to further regulatory or prudential reform, this announcement should alert superannuation funds to expect more comprehensive regulatory requirements in relation to the cybersecurity risks in the near future.

It is expected that APRA will be particularly interested in understanding how superannuation fund risk management frameworks address cybersecurity risks and how trustee boards are involved in the oversight of cybersecurity risk management. A likely focus of the reviews will be investigating the measures which superannuation funds have established to:

  • identify critical assets and data
  • protect such assets and data
  • promptly detect when breaches have occurred
  • respond to breaches including communications and reporting
  • recover from breaches including reinstatement of systems and learnings from incidents.

This initiative comes on the back of ASIC’s release during March of this year of its Report 429 on Cyber Resilience and underlines how Australia’s financial system Regulators are becoming much more concerned about cybersecurity risks.

Cybersecurity Risk Management – Financial Services Entities Required to Act

By Jim Bulling

It seems clear following the release in March this year of ASIC Report 429 Cyber Resilience, that all Australian Financial Services Licensees and superannuation funds are currently required to include in their risk management framework measures aimed at addressing the risks posed by cybersecurity breaches.

In addressing the risks ASIC recommends that the U.S. National Institute for Standards and Technology (NIST) framework is a relevant risk management tool. The NIST standards set out the key objectives of an appropriate risk framework:

  • identify the critical assets and governance processes
  • protect critical assets
  • detect breaches and incidents
  • responses to breaches and incidents
  • recovery and reinstatement of systems.

You can download a copy of the framework here

These objectives will need to be merged into the existing financial services policy frameworks which financial services entities already have in place.

Cyber Resilience for Financial Services Entities

by Jim Bulling and Julia Baldi

ASIC Report 429
In March this year, the Australian Securities and Investments Commission (ASIC), issued Report 429 Cyber resilience: Health check (REP 429). The report aims to highlight the importance of cyber resilience for entities regulated by ASIC, including Australian Financial Services Licence holders, Australian Credit Licence holders and listed entities. The Report indicates that ASIC is keen to ensure that Australia keeps pace with developments in Europe and the United States in combatting cybersecurity risks.

Click here to read the full article.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.