Cyber threats are accelerating and evolving rapidly. The COVID-19 pandemic has led to a surge in online activity and remote working, providing more opportunities for cyber criminals to attack. Boards and internal audit functions often lack understanding and expertise in cyber security, leaving organisations vulnerable.
To address this, APRA has released a new Cyber Security Strategy for 2020 to 2024. It aims to:
- Establish a baseline of cyber controls including information sharing and incident response. The goal is to address basic cyber hygiene issues, foster collaboration, and ensure organisations are prepared for breaches.
- Enable boards and executives to properly oversee cyber risks. APRA will provide guidance and increase scrutiny of cyber governance. Boards need to understand cyber risks and take action. Internal audit functions also need to strengthen their cyber capabilities to properly inform and challenge boards.
- Address weak links in the broader financial ecosystem including third-party providers. APRA will work with providers and auditors to strengthen cyber standards and oversight practices. It will also work with other regulators to harmonise cyber regulation across the financial system.
To implement the strategy, APRA will collect more cyber threat data, take a targeted approach to ensuring compliance, conduct independent reviews of organisations, and consider enforcement action if necessary. By sharing information and addressing vulnerabilities, the industry can work together to strengthen cyber defences.
For energy retailers, there are valuable lessons in APRA’s strategy. Like financial services, the energy sector is increasingly digital and connected, with complex supply chains and third-party providers. This expanding ecosystem provides more opportunities for sophisticated cyber attacks that could disrupt essential services.
Energy retailers should focus on:
•Educating and engaging their board on cyber risks to enable effective governance and oversight. Board members need to understand threats, consider worst-case scenarios, and direct resources appropriately.
•Strengthening their internal audit function’s cyber capabilities through recruitment or training. Internal audit needs to rigorously assess cyber risks and controls to properly inform the board.
•Tightening controls and oversight of third-party providers, especially any critical infrastructure providers or sensitive data handlers. While regulation may not mandate this yet, strengthening the weakest links in the supply chain is key for resilience.
•Participating in industry collaboration and information sharing on cyber threats and best practices. By working together, energy retailers can better identify, prevent and respond to cyber attacks.
•Considering an external “health check” of their cyber risk management to identify any major vulnerabilities before an incident occurs. An independent expert review could provide useful insights to benchmark against peers and guidance for improvements.
In summary, while APRA’s strategy is aimed at the financial sector, the themes of governance, collaboration, and vigilance against an accelerating threat apply equally to essential service providers like energy retailers. Taking a proactive approach to cyber resilience is critical for any organisation and industry in today’s connected world.