Almost every day we hear about another cyberattack on businesses. Peter Malan, who runs PwC’s Cybersecurity and Digital Trust, is urging financial institutions to do more to meet APRA’s information security regulation, CPS 234.
In Australia as in every other country, cybercriminals have taken advantage of the wholesale move online to ramp up their efforts, with a particular focus on ﬁnancial entities.
And it’s working. The federal government has estimated cyberattacks cost Australian businesses approximately $29bn – a ﬁgure that is only likely to rise. More than half of businesses (56%) say state-sponsored attacks on critical infrastructure are likely, while even more (58%) say data breaches reported to the Offi ce of the Australian Information Commissioner were due to malicious or criminal attacks. It’s a problem that demands a robust response from the government.
Setting standards for cybersecurity
In November 2020, outgoing APRA executive board member Geoff Summerhayes said the regulator was seeing “too many basic cyber-hygiene issues across the industry” at a time when threats were increasing exponentially. As a result, APRA has embarked on a Tripartite Reviews program to gauge the level of compliance with CPS 234, commencing with independent pilot assessments for selected regulated entities in the ﬁrst half of 2021.
Applying to all APRA-regulated entities, CPS 234 introduced new requirements around identiﬁcation and classiﬁcation of information assets, the deﬁnition of roles and responsibilities for cybersecurity, and the implementation and testing of security controls, incident management, internal audits and assurance, and breach notiﬁ cation processes. Importantly, it also includes requirements around how businesses manage third-party risks.
While many banks, superannuation funds and insurers, as well as non-bank lenders and aggregators, have been working towards compliance since CPS 234 came into effect in 2019, it’s clear there’s more work to be done. APRA is now warning of action against those companies that don’t take rising security threats seriously, and is beginning its next stage of enforcement against organisations that have not yet fully complied with CPS 234.
Even those organisations that feel conﬁdent in their efforts should look again at their security posture. As the cyber landscape shifts and evolves daily, our experience is consistent with APRA in that some organisations that may consider themselves compliant with CPS 234 may not actually pass the assessment. Punishments for oversights may be strict.
Checking your security blind spots
Once the Tripartite Reviews are completed, APRA will then determine the scope of its future enforcement. But expectations are that further assessments and audits will begin sooner rather than later.
Now is the time for all regulated entities to get their houses in order. We’ve identiﬁ ed three key areas where organisations need to focus their attention:
1. Securing your supply chain
The biggest area of focus for organisations is third parties meeting the standards of organisations. When it comes to CPS 234, every company you work with that manages your data or assets must also adhere to the regulation’s standards – and you need to document how those processes work and what assets are being used. It’s critical that you expand the visibility of the security and digital asset management processes and controls your suppliers and vendors use across your ecosystem.
2. Putting your controls testing programs into practice
Secondly, while it’s clear that a lot of time and eff ort has been invested into CPS 234 compliance processes to this point, it could all be for naught without stringent testing of its effectiveness. That’s why the CPS 234 mandates a systematic testing program that regularly tests your infrastructure and processes for weaknesses. It’s high time to consider a structured assessment program for information security controls and security incident management.
3. Identifying and classifying information assets
One of the central tenets of the regulation is creating an understanding of what your information assets are, their criticality and sensitivity, and where they are located.
Regulated entities need to put a greater focus on ensuring there is suffi ciently comprehensive evidence not only of the data and assets themselves but of the processes and controls that manage them. Organisations need to consider improving their CPS 234 compliance as part of their wider IT and cybersecurity strategy.
So, what’s next?
There are a range of additional activities regulated entities can – and should – be exploring to meet the security standard.
Investment won’t be wasted. Future regulations will use similar best practice processes and programs.
We recommend businesses review their compliance eff orts to ensure alignment with the intent and word of the standard, including completing gap analysis of their existing security practices and operating model against the standard; asset identiﬁcation and categorisation; establishing and operating third-party security assessment programs; executing independent security control testing; and augmenting existing internal audit capabilities.