Key points from Executive Board Member Geoff Summerhayes’ speech to the Financial Services Assurance Forum- Lessons for Energy Sellers

Share on twitter
Share on linkedin
Share on facebook

Cyber threats are accelerating and evolving rapidly. The COVID-19 pandemic has led to a surge in online activity and remote working, providing more opportunities for cyber criminals to attack. Boards and internal audit functions often lack understanding and expertise in cyber security, leaving organisations vulnerable.

To address this, APRA has released a new Cyber Security Strategy for 2020 to 2024. It aims to:

  1. Establish a baseline of cyber controls including information sharing and incident response. The goal is to address basic cyber hygiene issues, foster collaboration, and ensure organisations are prepared for breaches.
  2. Enable boards and executives to properly oversee cyber risks. APRA will provide guidance and increase scrutiny of cyber governance. Boards need to understand cyber risks and take action. Internal audit functions also need to strengthen their cyber capabilities to properly inform and challenge boards.
  3. Address weak links in the broader financial ecosystem including third-party providers. APRA will work with providers and auditors to strengthen cyber standards and oversight practices. It will also work with other regulators to harmonise cyber regulation across the financial system.

To implement the strategy, APRA will collect more cyber threat data, take a targeted approach to ensuring compliance, conduct independent reviews of organisations, and consider enforcement action if necessary. By sharing information and addressing vulnerabilities, the industry can work together to strengthen cyber defences.

For energy retailers, there are valuable lessons in APRA’s strategy. Like financial services, the energy sector is increasingly digital and connected, with complex supply chains and third-party providers. This expanding ecosystem provides more opportunities for sophisticated cyber attacks that could disrupt essential services.

Energy retailers should focus on:

•Educating and engaging their board on cyber risks to enable effective governance and oversight. Board members need to understand threats, consider worst-case scenarios, and direct resources appropriately.

•Strengthening their internal audit function’s cyber capabilities through recruitment or training. Internal audit needs to rigorously assess cyber risks and controls to properly inform the board.

•Tightening controls and oversight of third-party providers, especially any critical infrastructure providers or sensitive data handlers. While regulation may not mandate this yet, strengthening the weakest links in the supply chain is key for resilience.

•Participating in industry collaboration and information sharing on cyber threats and best practices. By working together, energy retailers can better identify, prevent and respond to cyber attacks.

•Considering an external “health check” of their cyber risk management to identify any major vulnerabilities before an incident occurs. An independent expert review could provide useful insights to benchmark against peers and guidance for improvements.

In summary, while APRA’s strategy is aimed at the financial sector, the themes of governance, collaboration, and vigilance against an accelerating threat apply equally to essential service providers like energy retailers. Taking a proactive approach to cyber resilience is critical for any organisation and industry in today’s connected world.

More to explorer

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

person wearing foo dog costume

Obligations of Energy Retailers Regarding Best Offer Information

Energy retailers in Victoria have specific obligations under the Energy Retail Code of Practice to provide clear information to customers about their ‘best offer’ – that is, the plan that would minimize the customer‘s energy costs based on their usage history. The objective is to ensure small customers can easily understand whether they are on the retailer‘s best plan for them and how to access the retailer‘s best offer if not. One of the significant challenges in the energy sector (as in banking and elsewhere) is that customers

low angle photo of sydney opera house australia

Guide to the National Energy Retail Rules

The National Energy Retail Rules (NERR) are a set of rules that govern the sale and supply of electricity and gas by retailers to consumers in Australia, alongside the related National Energy Retail Law (NERL). The NERR came into effect on 1 July 2012 in Tasmania, the Australian Capital Territory, and the Commonwealth. South Australia followed on 1 February 2013, New South Wales on 1 July 2013, and Queensland on 1 July 2015. The NERR do not yet apply in

Leave a Reply

Your email address will not be published. Required fields are marked *