APRA Regulators, CBA and
the OAIC

Cyber Policy / Cyber Compliance, Industry Insights

On the eve of new APRA regulations around cybersecurity for financial services firms, CBA has had to agree to an undertaking with the Office of the Australian Information Commissioner (OAIC). For the rest of the world, CBA is Australia’s largest bank. This comes the big news for those concerned about cyber compliance.

Our largest bank now has a “court-enforceable undertaking” to get their act together when it comes to securing the privacy of millions of Australian’s personal financial information that they hold. Seems they have no idea where much of the information is. It could be in a filing cabinet sent to scrap.

For some background, CBA managed to lose a few backup tapes and also had some internal hack that breached customer privacy.

A small recap from the breach is as below:

  • The Australian population has had enough of the misinformation and ongoing collusion of the banking hegemony
  • The Government launches a Royal Commission into the financial services industry
  • The Hayne Royal Commission’s final report was released on the 1st of February 2019. The entire Australian population was (not) shocked by the revelations. Collectively organisations that have always had our best interests at heart and thereby angels, have not looked after us and our dead grandparents’ (to this day) financial advice so well? Who would have thought?
  • Probably the most disappointment regarding the results lies with the regulators that are expected to police these behaviours (e.g. APRA & ASIC, many others)
  • APRA releases a report questioning CBA’s handling of cyber risks, especially privacy
  • The OAIC receives a court-enforceable undertaking from the CBA


With APRA’s new CPS 234 – Information Security, the regulation comes into action on July 1 2019. If the Governance, Risk and Compliance department of a prudentially regulated organisation may invite additional issues. The upcoming regulatory requirement will ensure certain information security compliance, where the IT department will be required to formulate strategies to make sure the organisation can operate its tech. Risk management ensures the organisation exists.

With operational risk, the ELT & the board – APRA is not going to blame IT for a cyber incident, rather organisational leaders are likely to be liable for cyber incidents. So will the judiciary. So will the people. Have a long hard think about that. Precedent is there in the US if you don’t believe me. Actions against directors and officers for being asleep at the cyber wheel are becoming more common. Finally, the regulators in this country are making management of cyber risk an organisational responsibility. Hopefully, this regulatory push will create some urgency, finally.

CTRL Group provide the following recommendations:

  • Escalate the IT management, including IT security functions to more management dialogues
  • Prepare for the worst – A crisis management process will most likely be less crippling to the business than say, losing all your customer data to the dark web.
  • Incident response planning and Penetration Testing – An incident response strategy is only as good as its last test
  • Get some advice. Helping organisations reduce their exposure to cyber risk and respond to incidents is what we do. It is better to engage with us before the rain
  • Remember that the only way to reduce the brand, reputation, financial and functional damage from inevitable cyber incidents is to handle them well

CBA will get through this – do you have the bench to handle a very public cyber incident?

CPS 234 is coming, and after Hayne the regulators can no longer afford to be toothless tigers. APRA’s actions on CBA are a good indicator of this.