Letters

Additional insights on common cyber resilience weaknesses

To: All APRA-regulated entities

As a supervision priority in APRA’s Interim Policy and Supervision Priorities update, APRA will maintain its heightened focus on the cyber resilience of regulated industries. Entities across banking, superannuation and insurance must remain vigilant and proactively implement strategies to mitigate risks posed by the evolving and escalating cyber threat landscape.

APRA’s last letter to industry reinforced the expectation that entities must comply with the baseline requirements in CPS 234 Information Security (CPS 234) and reflects APRA’s ongoing commitment to sharing the latest insights with industry to help improve the cyber resilience of the financial system. This letter aims to share additional insights and guidance related to the common cyber weaknesses observed in terms of security in configuration management, privileged access management and security testing.

Please refer to the Appendix containing a summary of these weaknesses and relevant guidance from APRA’s Prudential framework.

APRA expects regulated entities to review their control environment against these common weaknesses. If the review identifies gaps that could materially impact the entity’s risk profile or financial soundness, APRA considers this a material security control weakness notifiable under paragraph 36 of CPS 234.

APRA also recommends that entities conduct regular self-assessments aligned with the sound practices in Prudential Practice Guide CPG 234 Information Security (CPG 234), and adopt relevant mitigation strategies from established frameworks like the Essential Eight.

Please contact your supervisor should you have any questions regarding the content of this letter.

Yours sincerely,

Alison Bliss
General Manager, Operational Resilience
Cross Industry Division

Appendix

Security in configuration management

Observations	Guidance
Not all IT assets have a baseline level of security configuration when implemented and are not reassessed when new vulnerabilities emerge.	Ensure the configuration of information assets minimises vulnerabilities and is defined, assessed, registered, maintained, including when new vulnerabilities and threats are discovered, and applied consistently (refer CPG 234 paragraph 36, Attachment D).
Some IT assets deviate from the approved secure baseline configuration.	Maintain controls to manage changes to information assets, including changes to configuration with the aim of maintaining information security (refer CPG 234 paragraph 47, paragraph 56, paragraph 67 CPG 234 and Attachment G).
Gaps in the process of identifying, escalating, and remediating IT assets that deviate from the secure baseline have resulted in vulnerabilities.	Ensure the existing and emerging information security vulnerabilities and threats caused by insecure configuration of information assets are identified, assessed and remediated in a timely manner (refer CPG 234 paragraph 39).

Privileged access management

Observations	Guidance
Lack of a complete and accurate inventory of all privileged accounts, including both user and system accounts.	Maintain complete and accurate records of all privileged accounts (refer CPG 234 paragraph 36, paragraph 67 and Attachment C).
Privileged access to information assets is not always approved and granted based on a valid business need and for a specified time.	Ensure access to information assets is only granted where a valid business need exists, and only for as long as access is required. (CPG 234 Attachments A and C).
Privileged access credentials may not always be strong and securely stored in approved solutions.	Ensure the strength of identification and authentication is commensurate with the impact should an identity be falsified (CPG 234 Attachment C).

Security testing

Observations	Guidance
Inadequate and insufficient testing coverage, often with repeated testing of the same limited set of IT assets.	Ensure the testing program: references the population of information security controls across the entity, enables the validation of the design and operating effectiveness of controls over time, and leverages a variety of testing approaches informed by contemporary industry practices including IT general controls, vulnerability scanning, traditional penetration tests of software and infrastructure, red-team and gold-team exercises. (refer CPG 234 paragraphs 78-80 and Attachment G)
Inadequate management and oversight of security test findings.	Report test results to the appropriate governing body or individual, with associated follow-up actions formally tracked. (refer CPG 234 paragraph 81).

Observations

Guidance

Inadequate and insufficient testing coverage, often with repeated testing of the same limited set of IT assets.

Ensure the testing program:

references the population of information security controls across the entity,
enables the validation of the design and operating effectiveness of controls over time, and
leverages a variety of testing approaches informed by contemporary industry practices including IT general controls, vulnerability scanning, traditional penetration tests of software and infrastructure, red-team and gold-team exercises.

(refer CPG 234 paragraphs 78-80 and Attachment G)

Inadequate management and oversight of security test findings.

Report test results to the appropriate governing body or individual, with associated follow-up actions formally tracked. (refer CPG 234 paragraph 81).

2024