Last week, Australian Prudential Regulation Authority (APRA) Chairman Wayne Byres spoke on the topic of prudential interest in cyber security.
“Adopting an ‘assumed breach’ mentality requires relentless preparation, with a focus on building resilience to attacks through detection and response capability, rather than relying solely on preventative measures,” Byres said, in speech given at an event organised at the Trans-Tasman Business Circle and Optus Macquarie University Cyber Security Hub.
Byres’ speech on cyber security comes just months after the CPS 234 Information Security kicked into gear.
In June last year, when the final version of CPS 234 was released, APRA Commissioner Geoff Summerhayes said, “A significant information security breach at an APRA-regulated entity is almost certainly a question of when, not if. In a worst-case scenario, a major breach could even force a company out of business. As a result, APRA is speeding up implementation of this standard, and expects all regulated entities to meet its requirements by 1 July next year.”
In his last year as Chairman, Australian Securities and Investments Commission (ASIC) Greg Medcraft said he believed the next major crisis would be brought about as the result of a major cyber-attack.
The information paper puts the onus on APRA-regulated entities to:
clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
notify APRA of material information security incidents.
A month before the CPS234 commenced, Summerhayes said, “The new standard and accompanying prudential practice guide will reinforce the industry’s ability to withstand these information security threats, and to respond effectively when breaches occur. It is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we’ve seen overseas, so they must be prepared.”
CPS 234 so far
In his speech last week, Byres said that, since the CPS243 has been in play, there have been 36 incident notifications.
Byres reiterated Summerhayes’ opinion that the next major breach of the financial sector is not question of ‘if’ but ‘when’, and spoke generally to some of the reports that have been received from APRA’s regulated entities, which ranged from an employee who accidentally emailed a spreadsheet externally that contained customer information, to outright fraud and data manipulation.
“It’s important to note that APRA’s regulated flock would have been subject to vastly more attempted cyber-attacks; these are just the ones that succeeded, and that we know about. With some cyber-incidents taking years to detect, it’s entirely possible that one of the banks, insurers or super funds has already been compromised and we simply don’t know about it,” Byres said.
Byres continued, indicating a recent survey conducted on regulated entities that showed 70 per cent of respondents self-assessing for gaps.
It seems APRA-regulated entities still have work to do to meet the CPS234 requirements.