Australia’s big banks have been slammed for their lax cyber security practices.

APRA, Australia’s prudential regulator, says the executive boards of banks should apply the same urgency to cyber risks as they do to credit or liquidity threats.

APRA has outlined a new four-year cyber strategy that will see it take a more targeted approach to ensuring financial institutions are complying with the prudential standard on cyber security.

The regulator is planning to hold boards and management accountable where there are breaches, according to APRA executive board member Geoff Summerhayes.

Remote working arrangements due to the COVID-19 pandemic are making matters worse, Mr Summerhayes says.

“In prioritising their ability to keep operating, many of the entities we regulate needed to make compromises to their normal information security protocols to facilitate the sudden switch to remote work arrangements for most or all employees,” he said.

“Very few entities have gone back to firmly close the gates they left ajar in March.”

He says APRA will be requesting one-off independent cyber security reviews across all its regulated industries.

“Starting next year, APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 (the prudential standard on cyber security) compliance and report back to both APRA and the board,” Mr Summerhayes said.

“We haven’t made a final determination on which entities this will apply to, but all entities should prepare accordingly.

“Where gaps are sufficiently material, we will consider forcing entities to issue a breach notice and create a rectification plan.

“If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action,” he said.