The Australian Prudential Regulation Authority (APRA) has moved to improve the Australian financial system's resilience against cyber threats by pushing forward with its assessment of the industry against CPS 234, the standards for Information Security (CPS 234).
In recent years, cyber-crime has seen significant increases in scale and sophistication, leading to several high profile breaches making headlines in recent months. As Australian businesses scramble to ensure their procedures and policies pass muster, the Australian Prudential Regulation Authority (APRA) has pushed forward with its assessment of the industry against CPS 234, the standards for Information Security (CPS 234). The study provides insights into common shortfalls and gives guidance on addressing those gaps to improve the Australian financial system’s resilience against cyber threats. APRA has released its findings from the first tranche of this major assessment, as summarised in this article.
The recommendations made by APRA in this review make it clear that all regulated businesses must ensure they are sufficiently guarded against cyber attacks, especially those that deal in critical or sensitive information assets (notably financial services, defence industries, energy, and data processing and storage). APRA has recommended that all relevant entities review their processes against common weaknesses and develop strategies to address cyber security and governance policy shortfalls.
Although there are no financial penalties for failing to meet the CPS 234 standard, APRA has flagged its intention to ‘rigorously’ target areas of non-compliance.
What is CPS 234?
CPS 234 is the prudential standard which sets out APRA’s minimum requirements for resilience against information security incidents, including cyberattacks. Broadly speaking, all authorised deposit taking institutions (including foreign authorised deposit taking institutions), non-operating holding companies, general insurers, life companies, private health insurers, and registrable superannuation entity (RSE) licensees are “APRA regulated entities” and therefore, must comply with CPS 234. A key tenet of CPS 234 is that the board of an APRA regulated entity is ultimately responsible for the information security of the entity (i.e. ‘maintain an information security capability commensurate with the size and extent of threats to its information assets’). CPS 234 details the minimum requirements to satisfy this obligation, including in relation to incident management, internal audit activities, and notification to APRA of information security incidents.
What is the Assessment About?
The assessment is the largest of its kind from APRA and will, by the end of 2023, cover over 300 banks, insurers, and RSE licensees that were required to appoint independent auditors to review compliance and report their findings to APRA.
The assessment aims to ensure APRA regulated entities maintain a baseline prevention, detection, and response capability to withstand cyber security threats as required under CPS 234.
This article focuses on the findings from tranche 1 of the assessment. The second and third tranches are currently underway, with statements from APRA to be expected in the coming months. The fourth and final tranche is due to commence later this year.
What are the Key Findings from Tranche 1 of the Assessment?
The tranche 1 findings indicate that there are some common failings for APRA regulated entities in their compliance with CPS 234, which attackers may seek to exploit. Below we have summarised the major weaknesses identified by APRA, and APRA’s recommendations for addressing those identified weaknesses.
- Weakness: incomplete classification of critical and sensitive information assets.
Recommendations: consider the impact of a security compromise on your business’s critical or sensitive information assets when defining asset classification criteria. Ensure assets are given a criticality rating equal to the highest rating of its constituent components. - Weakness: limited assessment of third-party information security capability.
Recommendations: understand which assets are managed by third parties and use that information to determine the level of testing required. Understand the controls third parties have in place and test the effectiveness of those controls. - Weakness: inadequate definition and execution of control testing programs.
Recommendations: adopt a variety of testing approaches, define clear success criteria for testing, and conduct testing with appropriately skilled and independent specialists. - Weakness: irregular review and testing of incident response plans.
Recommendations: review and test incident response plans at least annually. Ensure incident response plans cover a range of plausible disruption scenarios and include sufficient detail to minimise the amount of decision-making required during an incident. - Weakness: limited internal audit of information security controls.
Recommendations: have internal audit teams target areas where the impact of information security compromise is substantial and the ability to rely on other control testing is low. Review the scope and quality of testing conducted by third parties and report material deficiencies to the board. - Weakness: inconsistent reporting to APRA in a timely manner.
Recommendations: have clear governance processes for escalating incidents internally and notifying APRA, including by using control testing, vulnerability notification, and other third-party notifications to monitor for security incidents.
Conclusion
The takeaway from the assessment at this stage of the game is clear: APRA expects entities to take cyber security seriously and wants to see meaningful efforts to improve compliance. We expect that recommendations coming out of the remaining tranches will follow the trend established in this first set of findings, but with far more than APRA’s disapproval at stake for entities that experience cyber breaches, there’s no better time to revisit your cyber security procedures.
Material in this article is available for information purposes only and is a high level summary of the subject matter. It is not, and is not intended to be, legal advice. Hazelbrook does not guarantee the accuracy of the information provided. You should first obtain professional legal advice prior to taking any action on the basis of any information contained in this article. This article is copyright. For permission to reproduce this article please email Hazelbrook Legal: enquiry@hazelbrooklegal.com