Cybersecurity in financial services
The full cost of cybercrime in Australia is hard to quantify – not all breaches are notifiable – but it runs into billions of dollars in direct costs and lost productivity. In just the last half of 2020, the financial sector was burdened by more breaches involving malicious and criminal attacks than any other sector. The Federal Office of the Australian Information Commissioner (OAIC) reported 53 cyber attacks in finance, ahead of 22 human errors and 5 system faults, for a total of 80 notifiable incidents in 6 months.
Financial services need the confidence of knowing they’re complying with Australian Prudential Regulation Authority (APRA) regulations and guidance – both for compliance and to ensure protection against a growing cybercrime threat.
The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that oversees banking, insurance and superannuation institutions.
APRA issues and enforces a series of prudential security standards to ensure that, under all reasonable circumstances, financial promises are kept by regulated entities.
When APRA licenses banking, insurance or superannuation businesses to operate, they become a prudentially regulated entity: they must comply with standards like APRA Prudential Standard CPS 234 that APRA will supervise and enforce.
Proactive protection of digital information and assets is a social and financial imperative. To combat the pervasive threats of criminal activity, APRA-regulated entities must meet minimum standards to:
- protect data from vulnerability and threats commensurate with data value
- detect breaches swiftly and take action to minimise impact
- respond effectively to incidents affecting information security
- maintain assurance of information systems security through constant capability testing and auditing.
Beyond CPS 231 and CPS 232
CPS 234 goes beyond 231 and 232 and is specifically designed to address the information security of a company’s digital assets.
CPS 231 refers only to ‘appropriate due diligence, approval and ongoing monitoring’ of ‘outsourcing arrangements involving material business activities entered into by an APRA-regulated institution and a Head of a group’.
CPS 232 addresses some business continuity and risk management activities of APRA-regulated institutions.
About CPS 234
From 1 July 2020, all APRA-regulated entities must have, or have outsourced to a capable third party, information security systems to meet the requirements of CPS 234, the Prudential Standard for Information Security.
CPS 234 addresses information security capability and includes all information assets across business resources, skills and controls. It goes further to include third parties who provide information security services, and third parties who may access or use business information assets.
What are the key requirements of CPS 234?
An APRA-regulated entity must:
- clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
- maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
- implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
- notify APRA of material information security incidents.
Who is a financial entity under the authority of APRA?
A financial entity includes:
- all banks and other authorised deposit-taking institutions
- general insurers
- wealth managers
- financial advisers
- life insurance companies
- private health insurers
- registrable superannuation entity (RSE) licensees.
Can third-parties still manage a regulated entity’s digital security?
Yes. The APRA regulated entity is still responsible for assessing the ongoing capabilities of the third party. They must also give special consideration for the potential consequences of an information security incident affecting the third party, and therefore their assets too.
The entity is also responsible for evaluation and approval of the design of particular controls used to protect digital assets.
What particular IT and ICT protection controls are required?
Every IT control system managed directly or via a third party must:
- protect all information assets according to their vulnerabilities and current environmental threats as assessed by the Board/Company
- detect and respond to any threat or incident quickly and appropriately, depending on the criticality and sensitivity of the data under threat
- take action appropriate to the life cycle stage of the data asset. The stages can be anything from planning and design through to decommissioning and disposal
- take action according to the potential consequences of a security incident with each asset.
How quickly must APRA be notified of a breach?
APRA must be notified about a breach of security as soon as possible – no more than 72 hours after becoming aware of an information security incident that has (or has the potential) to affect the entity or its stakeholders.
APRA also requires entities to notify them of any incident that has been notified to global regulatory bodies.
How quickly must APRA be notified of a system fault?
APRA must be notified of a system fault as soon as possible. This means no later than 10 days after the entity becomes aware of a weakness in information security control that cannot be quickly remediated.
What should internal audits cover?
Internal audits must cover as a minimum:
- a review of the design and operational effectiveness of the controls, including those provided by a related or third party
- a review of the skills and experience of all personnel involved in information security to assure appropriate management
- a full review of the information security assurance provided by a related party or third party, where the entity is relying on that assurance, or where an incident could potentially affect the entity or its stakeholder’s interests. This applies to all the information assets managed by the third party, not just those assets related to your entity.
Top 6: How the right MSP helps you comply with CPS 234
#1 Defining roles and responsibilities
Under CPS 234, the Board is responsible for protecting company digital assets and information. They must ensure that information security is maintained in line with the size of the assets and threat profile, by maintaining resilience and the capability to maintain operations.
Your MSP can assist in clearly defining and communicating the roles and responsibilities within your organisation – including Board members, senior management, governing bodies, and individuals who play a role in information security.
#2 Develop and maintain a policy framework
Your MSP can support you to maintain a policy framework that demonstrates how you will establish and maintain systems that increase your business’s resilience to information security threats and incidents. You must also prove your business capability to respond swiftly and effectively to any breach from any source.
These frameworks must be scalable, appropriate to your threat exposure and data sensitivity – and your policy must clearly outline responsibilities for the maintenance of information security.
#3 Timely response to threats
As an APRA-regulated entity, get MSP support to create and maintain information security response plans to respond swiftly and vigorously to incidents. You must have processes in place to:
- address and control every stage of an incident from first detection to review and improvement
- escalate and report incidents to the Board, other bodies (like APRA) and IT security individuals
- review (at least annually) plans for asset management to effectively address contemporary incident scenarios.
#4 Identify controls that match the context
Get support to put controls in place that are commensurate with:
- vulnerabilities and threats to the information assets;
- the criticality and sensitivity of the information assets;
- the stage at which the information assets are within their life-cycle;9 and
- the potential consequences of an information security incident.
Every APRA-regulated entity must use a systematic regime to test the effectiveness of its information security controls. Your MSP stays across the types and frequency of testing, that must be changeable and scalable to:
- the rate of change in threats and vulnerabilities
- criticality and sensitivity of the entity’s assets
- potential consequences of an incident involving any asset
- the materiality and frequency of changes to information assets.
Look for a MSP who can deliver testing “conducted by independent specialists with commensurate skills and experience” at least once a year or when there is a ‘material change’ to the business environment or information assets.
#6 Internal Audit
CPS 234 mandates a minimum standard, Harbour IT’s SIEM goes beyond, giving actionable information as needed, with auditable logs for every process. Our cloud services take a similar approach, with our development teams constantly monitoring and improving security controls as the cybercrime environment evolves.
How Harbour IT supports your CPS 234 compliance
Harbour IT understands the changing nature of business continuity and the demands of balancing the latest technology with robust security standards. We are aligned both to APRA and the Payment Card Industry Data Security Standard (PCI DSS) regulations and practices.
Does your business need to step up or get a secure edge in the competitive financial services market?
Get proactive about CPS 234 compliance with Harbour IT and contact us to discuss our Solutions for Financial Services.