APRA brings cyber security into focus for financial institutions

APRA has issued a new mandatory regulation, CPS 234 which commences on 1 July 2019. This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.

A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.

The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.

What is CPS 234?

CPS 234 is a mandatory regulation issued by the Australian Prudential Regulatory Authority (APRA) and commences on 1st of July 2019. It requires organisation to uplift their information security capabilities commensurate with the evolving size and extent of the threats to their assets.

Key capabilities to keep in mind for information security include:

• Security Governance model
• Skilled resources
• Information security framework – which should include:
  • Controls to secure the organisation from information security threats
  • Controls which provide vigilant capability on the evolving threat intelligence and how it may impact an organisation 
  • Controls which provide resiliency to recover from and minimize the impact of cyber incidents

CPS 234 requires uplift in 6 key domains of information security. These are:

• Cyber Security Framework and organisational accountability and reporting. A robust framework and corresponding controls are required. Information security roles and responsibilities for the Board, senior management, governing bodies and individuals must be defined. 
• Information asset identification and classification. Information assets must be classified according to their criticality (impact of loss of availability) and sensitivity (impact of loss of confidentiality and integrity).
• Third party compliance. Extension of information security to third-parties to protect sensitive information is required.
• Systematic assurance. APRA regulated entities must continually test their systems to ensure that their security capability is commensurate with the evolving threat landscape
• Security incident response. Formal incident plans must ensure support for all incident cases and there is need to notify APRA of material information security incidents
• Internal audit. The design and operating effectiveness of information security controls must be reviewed.

Why do we need CPS 234?

The cyber landscape is continually evolving. CPS 234 is a direct response to this changing environment. Today’s top threats include:

• Payments and card fraud
• Geo-positional hacking
• Attacks on financial big data
• Mobile OS/App vulnerabilities
• Supply chain attacks
• Attacks on critical infrastructure.

The threat landscape today:

• 26% of cyber-attacks are directed at the financial services industry (NIT Security 2018 Global Threat Intelligence Report)
• $2.5 million is the average cost of a data breach in Australia (2017 Ponemon Cost of Data Breach study)
• 54% increase in mobile malware variants (Symantec Internet Security Report 2018)

What should organisations do?

There are three key steps in ensuring compliance with CPS 234:

1. Diagnostic gap analysis. Organisations should work to understand their needs by identifying potential gaps and weaknesses in their current processes and capabilities that may expose data assets to malicious parties.
2. Risk treatment. Once gaps are identified, a pragmatic and risk-based plan must be developed and delivered to address them in the required timeframes.
3. Ongoing monitoring and assurance. Continuous monitoring of the organisation’s cyber risk profile is required. Doing this will allow for assurance to be provided to management, the board and other key stakeholders.