Strengthening data privacy and cybersecurity: a review of APRA's findings

Initial results from a new APRA cybersecurity stocktake suggests entities' struggle to safeguard customer data is caused by a failure to identify and classify critical and sensitive information assets.

Anthony Woodward

Written by

Anthony Woodward

Reviewed by

Share on Social Media
Strengthening data privacy and cybersecurity: a review of APRA's findings

Finding it hard to keep up with this fast-paced industry?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

In an era where cyberattacks are becoming increasingly sophisticated and compliance regulations are becoming more stringent, organizations face significant challenges in safeguarding their customers' sensitive data.

Initial results from a study conducted by the Australian Prudential Regulation Authority (APRA) on the cyber resilience of more than 300 banks, insurers, and superannuation trustees have shed light on the primary reasons behind this struggle: incomplete identification and classification of critical and sensitive information assets.

Six common control gaps identified

In an analysis of 24% of regulated entities in the study, APRA found six common control gaps. Let’s outline these findings before focusing on how organizations need to focus on improving their data inventory and classification efforts to resolve several of them.

1. Incomplete identification and classification of information assets

Many organizations lack established policies, tools, and methodologies for identifying and classifying critical and sensitive information assets. Asset registers are not regularly reviewed and updated, and information managed by third parties is often not fully specified or classified.

To address these gaps, APRA recommends entities create an asset inventory repository, such as an inventory management database (IMDB), to register assets and map interrelationships. It is crucial to understand the potential impact of a security compromise on each asset and ensure that its constituent components inherit the highest criticality and sensitivity ratings.

2. Limited assessment of third-party information security capability

As more entities rely on third-party service providers to manage critical systems, they must understand vendors’ information security controls. Common gaps here included insufficient or nonexistent information security control assessment plans for third parties, a lack of independent verification, control testing evidence is not retained, and the nature and frequency of testing do not match the sensitivity or criticality of the information managed by third parties.

APRA suggests entities should better understand the information assets managed by third parties, ensure testing has the correct level of rigor, understand the controls that third parties have in place, test these controls using various methods, and ensure they resolve capability gaps rapidly.

Cases like the recent MOVEit supply chain hack show the importance of securing your supply chain, especially when third parties manage critical or sensitive information.

3. Control testing programs

Entities also fail to test the effectiveness of their information security controls in the manner required by APRA. Testing programs for many entities are incomplete, inconsistent, and lacking in independence.

APRA found gaps in information control assurance programs and plans, with the nature and frequency of testing often not matching the criticality and sensitivity of the assets. Testing is also not performed by independent testers, lacks consistency, and the evidence evaluated is not retained.

Entities must adopt more testing approaches, define clear success criteria, and have independent specialists conduct this testing.

4. Incident response plans

According to the study, entities lacked information security incident response plans. Those that had such plans often failed to review them regularly. These plans did not clearly define third parties' roles and responsibilities, and plans had limited plausible disruption scenarios.

Entities must test their incident response plans annually to ensure they remain fit for purpose, with a broad range of scenarios and sufficient detail to reduce the decision-making required and clarify roles and responsibilities.

Learn more about the key to setting robust information security incident response plans.

5. Internal audit reviews of information security controls

Across the industry, entities appear limited in their audit assessment of third-party information security controls. In some cases, internal auditors performing control testing lack the necessary information security skills.

According to APRA, entities’ internal audit teams should target audit areas where an information security compromise is material, and the ability to place reliance on other control testing undertaken is low. They should also review the scope and quality of testing conducted by other areas and third parties and report material deficiencies or absences of any assurance to the Board.

6. Inconsistent vulnerability reporting

Regulated organizations must also report material incidents and control weaknesses in their cybersecurity systems to APRA. However, the study found many entities used inconsistent and unclear processes for identifying and defining such incidents and deficiencies.

Common gaps included:

  • APRA notification requirements are not included in entity policy;
  • contracts with critical third parties do not contain the requirement to report material incidents and control weaknesses to APRA;
  • criteria to identify material and reportable incidents and control weaknesses are not clearly defined; and
  • the process to ensure timely reporting is not established or not enforced.

To improve vulnerability reporting, APRA recommends implementing straightforward governance processes for incident and control weakness escalation. Additionally, organizations should use various mechanisms to identify weaknesses, such as control testing, assurance activities, information security incidents, and vulnerability notifications from vendors and third parties.

Data sprawl is an issue for all organizations

As the APRA study makes clear, one of the fundamental issues organizations face is a lack of understanding of their data, including its location, sensitivity level, and lifecycle. Organizations struggle to protect individuals' privacy and cannot adequately respond to data breaches without a robust data inventory linked with data lifecycle policies.

Data inventories were traditionally created by surveying departments on the types of data teams keep and where they keep them. Such a manual approach is no longer sufficient in this world of multiple, often department-specific, platforms and file stores or where third parties store data.

Organizations without a robust data inventory fail to make good privacy decisions, for example, removing data once they are legally entitled to do so. Often this means data breaches are more significant than they would otherwise have been, and more current and former customers have their sensitive data stolen.

In the event of such a data breach, organizations that lack an accurate picture of their sensitive data struggle to identify impacted data. They cannot inform customers when their data is compromised and can’t take measures to mitigate the damage. They also cannot inform regulators like APRA, as they are legally required to do.  

Data breaches are thus more damaging and affect more people, and organizations face legal, reputational, and regulatory consequences.

Make informed privacy decisions

The solution to these challenges lies in making “active” data management a core part of the organization's information management program. Organizations can make informed decisions that secure their customers' sensitive data by prioritizing data retention privacy and dedicating resources to it. Creating an accurate data inventory, detailing the data, its relationships, and potential impacts if exposed, is crucial for mitigating the damage caused by data breaches.  

You cannot protect individuals' privacy unless you understand the data you possess. The findings from APRA's study highlight the urgent need for organizations to take data management privacy and cybersecurity seriously. As custodians of organizational data, records management professionals have a key role to play here.

By implementing the recommended measures and prioritizing the “active” management of data and stakeholders' privacy, organizations can protect sensitive data, comply with regulations, and maintain their reputation in an era of growing cyber threats.

Discover Connectors

View our expanded range of available Connectors, including popular SaaS platforms, such as Salesforce, Workday, Zendesk, SAP, and many more.

Explore the platform

Protect customer privacy and your business

Know your data is complete and compliant with RecordPoint Data Privacy.

Learn More
Share on Social Media

Assure your customers their data is safe with you

Protect your customers and your business with
the Data Trust Platform.