Cyber-crime doesn’t wait for regulation
Financial services are facing an unprecedented set of pressures from increasing cyber threats, disruption, competitive pressure from new entrants, consumer and shareholder activism and regulatory oversight.
APRA recently announced new measures to holistically improve the cyber security resilience of the financial services industry as part of their 2020-24 Cyber Security Strategy. In their announcement they reinforced the requirements of CPS 234 taking a step further by announcing a tripartite independent review of compliance with the standard.
APRA wish to see a supportive, integrated and resilient industry and ecosystem. We support this intent and reinforce the position that all members of the financial services ecosystem (including institutions, as well as third parties and customers) must remain vigilant to cyber threats. This year’s rapid move to remote working, an ever-increasing reliance on third parties and on-going transformation to modernise and digitise services all present expanded attack surfaces for cyber criminals. However, these changes are imperative for the industry to deliver improved services in a competitive and modern marketplace. Financial institutions cannot remain still but by maintaining a focus on resiliency as a key objective of transformation, modernised technologies should come with enhanced cyber security capabilities.
The core obligations set out in CPS 234 provide the necessary framework and capability for boards and management to actively maintain a strong information security posture whilst continuing to evolve their technology and supplier landscape. APRA’s announcement, and our experience, tells us that there are foundational core competencies that must be in place to maintain resilience.
Accountability and Oversight
One of the core tenets of CPS 234 is that boards are ultimately responsible for the security of an organisation. APRA have reinforced this, noting they will formulate board guidance and ‘step up their scrutiny of cyber oversight practices’. Secondly, internal audit “should be the eyes and ears of the board into their organisations”. They flagged that internal audit functions often don’t have sufficient cyber security skillsets, audit committees fail to act or are unable to interpret the severity of the ratings and aren’t thorough enough in their cyber reviews.
We recommend boards and internal audit functions consider their cyber-fluency and seek to augment their knowledge and ability to actively challenge and maintain oversight through:
• Appointing expert cyber-security advisors.
• Undertaking tailored learning and development programs.
• Challenging management to provide relevant, transparent and actionable reporting.
Baseline Security Controls
Historically CPG 234 has provided the only official guidance for implementing CPS 234, however in Geoff Summerhayes APRA speech, the development of a set of basic and non-negotiable cyber practices was hinted at.
In the meantime, organisations should look to the established and mature information security standards such as ISO 27001 and NIST for guidance to ascertain whether they have comprehensively met the requirements of CPS 234.
Additionally, some key questions should be asked and addressed.
1. Have business and security risks been defined? Are risk and threat assessments timely and responsive to the speed of evolving threats? How do you track, monitor and measure security risks?
2. Has an assessment of all information assets been conducted (criticality/sensitivity)?
3. Has an assessment of security controls against information assets been conducted? Have you have remediated or implemented prioritised security controls? Do you have the baseline controls defined in CPG 234 e.g. DLP, Identity & access management etc.
1. Has the board approved a risk appetite for cyber security?
2. Do you have a security strategy that is regularly updated?
3. Does your board understand the key cyber security risks? Are they kept regularly informed on cyber security risks and issues?
4. Is your internal audit team conducting security-focused audits against CPS 234 on a regular basis? And do they cover both design and operating effectiveness in these audits?
Employees, Customers & Contractors
1. Do your employees and customers understand your policies, standards and procedures that govern security?
2. Do you have a program in place to continuously educate your employees, contractors and third parties about the priority people-related security risks? Do you measure and report success of this program?
3. Do you have a comprehensive third-party assurance program in place? Have you uplifted contracts with third parties as a risk management method of ensuring they maintain a commensurate level of security for the classification of information assets they receive or manage on your behalf?
Demonstrable control compliance is key to maintaining an appropriate cyber security posture, thus maintaining compliance with CPS 2343. To prepare for the upcoming tripartite reviews – internal audit and first line control assessments should be completed.
KPMG supports APRA’s Cyber Security Strategy and the pending tripartite reviews, as international examples of similar initiatives have been shown to create an improved financial services chain of resiliency. Certainly, sound and trusted financial systems, as a cornerstone of our economy and society, are a worthy objective for a regulator to set.