This article was originally published 11 August 2020.
The cyber threat landscape and challenges faced by the financial sector in Australia, and globally, change rapidly. Accordingly, organisations must be able to respond effectively to the changing environment and new vulnerabilities as they become evident. In the midst of the COVID-19 pandemic, Carbon Black reported that cyber security attacks on financial institutions have spiked by 238% between February and April this year.
This is a dramatic increase, but it is not new for threat actors to target financial sector organisations. The Australian Prudential Regulation Authority (APRA) has recognised the threat as we enter the new digital age and defined and implemented a new Prudential Standard CPS 234 (CPS 234). The purpose of CPS 234 is to ensure that APRA-regulated entities have implemented sufficient information security protections. Information security is no longer considered the sole responsibility of the information technology (IT) team, so CPS 234 requires finance sector organisations to consider the breadth of responsibilities across the organisation.
The implementation of CPS 234 has raised a number of questions for financial organisations. Who does CPS 234 apply to? How does CPS 234 apply to foreign entities? What are the information security requirements? How has the finance sector responded? What do you need to do to comply with CPS 234?
Who does CPS 234 apply to?
CPS 234 applies to all APRA regulated entities. These include:
- Banks, credit unions and other authorised deposit taking institutions (ADIs)
- Superannuation funds
- Life insurance companies
- Friendly societies
- General insurers
- Non-operating holding companies
- Private health insurers.
As of 1 July 2020, third parties that handle information assets associated with any of the aforementioned APRA regulated entities will also need to adhere to CPS 234, and attest to the security controls established when requested by the APRA regulated entity. In light of COVID-19 related impacts, APRA is considering requests for a six-month extension (to 1 January 2021) on a case-by-case basis.
How does CPS 234 apply to foreign entities?
CPS 234 applies to a specific subset of foreign entities. These include:
- Foreign ADIs
- Foreign general insurers
- Foreign life insurance companies.
The requirements for CPS 234 apply only in relation to the Australian branch operations of that entity. If the Australian branch is wholly supported technically by the head office entity, the head office will be tasked with evidencing compliance to the requirements of the Standard.
In addition to those specifically noted in legislation, foreign entities that handle the information assets of an APRA regulated entity will be required to provide attestation to the APRA regulated entity of their compliance from 1 July 2020 or 1 January 2021 (on a case-by-case basis).
What are the information security requirements?
CPS 234 clearly outlines the information security requirements organisations must comply with. These include:
- The Board and Executive Leadership Team (ELT) must own information security
- Roles and responsibilities must be defined, starting at the Board, ELT and senior governance committees
- Information security capability that is commensurate with the threat posed to the organisation must be implemented and maintained
- The information security capability of third parties that handle an APRA regulated entity’s information assets must be evaluated and the third party instructed to comply with CPS 234 requirements
- An information security policy framework must be defined to clearly articulate necessary controls and provide direction regarding information security
- Information asset identification and classification must be undertaken to understand the criticality and sensitivity of information assets
- An incident management plan and capability must be established, then reviewed and tested annually
- Control effectiveness must be regularly tested through the organisation’s standard assurance processes (e.g. audit and technical assessment), to provide assurance that vulnerabilities and threats are appropriately identified and managed across an information asset’s lifecycle
- APRA must be notified within 72 hours of any incident that materially affects, or has the potential to affect, customers, or that has been notified to any other Australian or Foreign regulator
- APRA must be notified within 10 business days regarding a control weakness the organisation cannot remediate in a timely manner.
How has the finance sector responded?
For the past four years, BDO and AusCERT have partnered to examine cyber security trends in Australia and New Zealand. Using the data from the BDO and AusCERT Cyber Security Surveys run in 2018 (prior to CPS 234 enactment) and 2019 (following the enactment of CPS 234), we can look at the year-on-year change in uptake of controls in the financial services industry. By looking at this year-on-year change, it is apparent that a cyber security uplift has taken place following the enactment of CPS 234. The following controls represent key elements of the CPS 234 standard and have significant increases in adoption:
- Implementation of cyber security training and awareness programs increased by 11%
- Implementation of cyber Security policies increased by 15%
- Board risk reporting increased by 20%
- Adoption of processes that allow for the identification of critical systems and information increased by 23%
- Cyber security standards for third parties increased by 38%.
The financial services sector has always been more mature in its implementation of controls due to its nature and risk profile. In addition to this aforementioned capability uplift, financial sector respondents demonstrated greater understanding of their responsibilities and implementation plans than their peers in other industries. On average, financial sector respondents had 43% more clarity on the cyber security controls they planned to implement. This is compared to a 23% average for all other respondents. These statistics demonstrate that the intention from APRA with the implementation of CPS 234 is hitting the mark and having the desired effect.
How does my organisation comply with CPS 234?
Most entities required to comply with CPS 234 will need to undertake a range of activities to demonstrate appropriate compliance. These requirements will differ based on the maturity of an organisation’s existing security capability and framework. To ensure compliance with CPS 234, organisations should undertake the following:
- Identify and address any compliance gaps - Implement quick, regular and simple self-assessment to understand their level of compliance with CPS 234
- Find opportunities to improve – Once considered CPS 234 compliant, organisations should assess their cyber security strategy and framework to identify opportunities to further enhance their readiness and compliance status
- Reduce the complexity and cost of complying with CPS 234 - Many entities must now demonstrate compliance with multiple cyber security standards and frameworks, not just CPS 234. There is an increasing need to simplify the cyber security compliance management process. What happens when an entity needs a single set of cyber security controls to meet compliance requirements for multiple regulatory standards? Or when those standards change? This can create a compliance nightmare that distracts security teams away from the ‘main game’ of improving the organisation’s security capability
- Assess and address issues with key third party cyber security capabilities - Entities must examine and assess the cyber security capabilities of their third parties. This involves having a framework to rapidly understand the risks associated with third party arrangements, and validate they have capabilities commensurate with the cyber security threats they face
- Objectively measure improvements in cyber security capability - Executive management, boards, and security teams across regulated entities are seeking greater confidence that the investments they are making in their cyber security capability are the right ones. This requires entities to review and deploy solutions to improve how they measure the performance of the cyber security capability, including building methods to define, collect and report the ‘point-in-time’ and ‘real-time’ lead and lag indicators that give genuine insights into the health of the entity’s cyber security posture.
BDO compliance self–assessment tool
Please contact one of BDO’s cyber security and CPS 234 advisers if you are interested in accessing a complimentary compliance assessment workshop, or would like to discuss how your organisation can rapidly and efficiently address the compliance requirements of CPS 234.