The Australian Prudential Regulation Authority (APRA) has decommissioned its legacy Direct to APRA (D2A) data submission system for entity access. The system was taken offline on Friday 20 March following the identification of security vulnerabilities through a routine penetration test on Thursday 19 March.
APRA is accelerating its program to transition all APRA's data collections onto the singular interface of APRA Connect.
This action is precautionary and in line with APRA's low risk tolerance for system vulnerabilities that may expose APRA or regulated entities to attack. APRA is not aware of any security breaches or exploitation on APRA's systems.
Preventative security action
Organisations that use D2A should take additional measures as a precaution:
- Immediately uninstall the D2A client. The presence of the D2A program could pose a residual risk. Removal is advised to protect your organisation's data integrity and security.
- Review system and data security measures and undertake additional checks as a preventative measure.
Meeting reporting obligations
APRA is expediting its multi-year program to migrate all data collections from D2A to the APRA Connect portal, which includes enhanced user experience, performance and security features.
APRA has also put in place arrangements to ensure continuity and security of the data we collect on behalf of industry, and for other agencies and the public.
For an interim period, organisations with data submissions due are instructed to:
- Complete their files as per their normal protocols in the lead up to the due date of their submission. XML or XBRL files are preferred.
