Earlier this month, the Australian Prudential Regulatory Authority (APRA) put organisations on notice that it was cracking down on how companies protect confidential information.
The regulators proposed new standard; Prudential Standard CPS 234 sets a bare minimum that entities need to achieve when implementing their cyber resilience plans.
APRA acknowledges that cyber-attacks will continue to be an issue and is forcing those it regulates to be proactive in this area. In particular, CPS 234 would require entities to:
- define the roles and responsibilities of the board and senior management concerning IT-security;
- put in place protective controls to over confidential information and undertake annual testing and assurance as to their effectiveness;
- implement safeguards to detect cyber incidents and be able to react to an incident swiftly; and
- notify APRA of material information security incidents.
Paragraph 12 of the proposed standard will be crucial as APRA is now placing responsibility for information security and the handling of cyber incidents on the Board.
This proposed standard is not a surprise, as last year, the Australian Securities Exchange (ASX) released its Cyber Health Check Report of directors of Australia’s top 100 listed companies. All bar one of those companies believe the ultimate owner of cyber risk is the CEO (29 percent) or member of the C-suite. However, only 7 percent had a clear understanding of cyber security surrounding their critical systems, and only 8 percent of Directors believed they had a strong understanding of their cyber resilience framework. While the Board understands the buck stops with them, few were able to articulate what their company is doing to protect client and customer data.
APRA is also concentrating on third party providers. Paragraph 15 of the proposed standard requires an APRA-regulated entity to assess the information security capability of that third party.
The ASX cyber survey sheds light on why this is an issue. Of the companies surveyed, only 11 percent had Boards with a clear understanding of where and how company data was being exchanged with third parties. Yet, 43 percent of Boards somehow felt confident that their company was properly secured against cyber-privacyattack.
For example, in 2017, Disney Films was held to ransom when a post-production company was compromised and the release of upcoming movies threatened if a bitcoin ransom was not paid.
The proposed standard will also require regulated entities to do due diligence on who they share confidential information with. If a third party lacks appropriate security standards, they may quickly run out of work unless the invest to improve cyber security and resilience.
The companies that APRA regulates span industries that are fundamental cornerstones of our society. Customers and clients entrust confidential information that if compromised could have a crippling impact on financial and social welfare.
APRA is aiming to finalise the proposed standard by December 2018. In the meantime, it will be important for Boards to continue to improve cyber security, resilience and response plans, be able to prevent and detect breaches, and have independent assurance that what they do is effective.