Superannuation funds will likely be compelled to engage external audit firms to conduct a review of their cybersecurity arrangements, under a new regime being put in place by the Australian Prudential Regulation Authority.
The regulator announced the move today with its board member Geoff Summerhayes saying APRA would “shortly be requesting one-off tripartite independent cyber security reviews across all our regulated industries”.
He said that, starting next year, APRA would be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board.
“We haven’t made a final determination on which entities this will apply to, but all entities should prepare accordingly,” Summerhayes said.
He also used his speech to a Financial Service Assurance Forum to reveal that fund managers and other suppliers to APRA-regulated entities would be part of the assessment process with respect to cybersecurity.
“To achieve this, APRA will engage with a selection of suppliers, auditing associations and financial entities to develop stronger third-party provider assessment and assurance practices for use by APRA-regulated entities,” Summerhayes said.
He also pointed to the development of greater alignment between APRA, the Australian Securities and Investments Commission (ASIC) and the Reserve Bank with respect to cybersecurity requirements.
Super funds had a “tremendous month” in November, according to new data.
Australia faces a decade of deficits, with the sum of deficits over the next four years expected to overshoot forecasts by $21.8 billion.
APRA has raised an alarm about gaps in how superannuation trustees are managing the risks associated with unlisted assets, after releasing the findings of its latest review.
Compared to how funds were allocated to March this year, industry super funds have slightly decreased their allocation to infrastructure in the six months to September – dropping from 11 per cent to 10.6 per cent, according to the latest APRA data.