Strengthening Cybersecurity in Australia’s Finance Sector: Mitigating Third-Party Risks

Third-Party Vendors


To support our ongoing concern around Third-Party suppliers and Vendor related risks, and to strengthen cyber security in Australia’s finance sector, the Australian Prudential Regulation Authority (APRA) launched a large-scale cyber security assessment. It aims to cover 300 banks, insurers, and superannuation trustees by the end of 2023. This study seeks to uncover vulnerabilities and weaknesses in the way third-party providers handle sensitive data and adhere to rigorous security standards.


The results of this ongoing assessment have highlighted critical issues specifically within supply chain security and incident response planning.


Mitigating Third-Party Vulnerabilities

One notable outcome of APRA’s assessment is the persistent concern surrounding supply chain security within the finance sector. Many entities within the sector rely on third-party service providers to manage critical systems and handle information assets. APRA discovered that third-party-managed information assets often lack adequate identification and classification. This lack of proper identification and classification resulted in difficulties in providing appropriate information security controls. Furthermore, this ultimately weakened many of these entities’ ability to effectively safeguard critical and sensitive data from unauthorised access or disclosure.


APRA has expressed dissatisfaction with the depth of assessments conducted by third-party providers and uncovered instances where these controls were not independently evaluated or assessed at all. Additionally, APRA found that many contracts with third parties lack the requirement to report material incidents and control weaknesses to the authority.


Strengthening Incident Response Planning

APRA has also raised concerns regarding incident response planning within the finance sector. Back in 2021, APRA identified a lack of preparedness for ransomware incident response.  As a result, they now insist on a broader range of scenarios being tested. APRA emphasised the need for more comprehensive and practical testing of incident response plans, moving beyond the focus of implausible scenarios. The finance sector must prioritise the efforts to align with evolving cyber threats and ensure effective response mechanisms are in place.


Safeguarding Australia’s financial landscape

APRA’s ongoing in-depth cyber security assessment of Australia’s finance sector highlights the crucial significance of actively managing third-party risks and improving incident response planning. The vulnerabilities exposed in supply chain security and the gaps in reporting emphasise the need for closer management and supervision of third-party providers. By proactively addressing these issues to safeguard their sensitive data, the finance sector can instil confidence in their customers and stakeholders. 


While we wait for these findings and results of this assessment to gradually make their way through, we have worked hard to find solutions for businesses to help address these risks by providing a number of options.


These range from Vendor, Third-Party, and Security Assessments as well as Frameworks like ISO 27001 and SOC 2 Readiness.


For any discussions around this crucial topic or if you would like some assistance to better understand how to address this crucial risk to your business contact us at or fill out our form here. 

More Blog Posts