The Australian Prudential Regulation Authority (APRA) is testing the cyber security chops of selected regulated entities as it cracks down on vulnerability in Australia’s financial system.

In November, APRA released its new cyber security strategy, which is designed to substantially lift standards in the face of this rapidly increasing risk.

Under the new plan, boards and executives oversee and direct correction of cyber exposures and APRA is asking boards to engage an external audit firm to conduct a review of their firms’ compliance with CPS 234, the prudential standard that sets out how information security threats must be addressed.

"We are working to ensure we have a robust cross-agency cyber incident response protocol in place for when major cyber incidents happen,” Chairman Wayne Byres told the Senate Economics Legislation Committee in Canberra last week.

Cyber defences are of great importance, Mr Byres says, but APRA only directly supervises around 680 of an estimated 17,000 interconnected financial entities, markets and infrastructure providers, “not to mention all of the related service providers”.

As a result, APRA’s new strategy recognises a need to work closely with other arms of government, including the Council of Financial Regulators (CFR), national security agencies and the Department of Home Affairs.

“In that regard, we have a number of important pieces of work underway,” Mr Byres said.

“We are undertaking a pilot exercise involving penetration testing of selected regulated entities and we are working to ensure we have a robust cross-agency cyber incident response protocol in place for when major cyber incidents happen.”

APRA plans to collect more data in new areas to better understand the cyber threat, and share that knowledge to enable industry self-assessment and benchmarking.

A program of independent reviews of compliance with APRA’s new Information Security standard CPS 234 is underway, and APRA has begun a data collection exercise on technology and cyber risks.

APRA is dialing up its supervision after the sudden shift to remote working because of the pandemic created a heightened cyber risk environment, with major financial institutions warding off attempted cyber attacks on a daily basis.

Mr Byres also says APRA is on track to complete 10 royal commission recommendations this year, notably finalising its new standard on remuneration. On 12 enforcement referrals relating to 10 entities, APRA is close to completing 11 matters and expects the last one to be resolved by the end of the year.