APRA member Geoff Summerhayes has recently delivered a speech on APRA’s view of Cyber Security maturity within the ~600 Australian Financial Services Institutions. This should be compelling advice for all risk, technology and cyber professionals in financial services.
The focus of cyber security resilience within financial services has been obvious through APRA publishing the first prudential standard on information security (CPS234 effective 1st July, 2019). (For more detail see my previous article here). As well, the 2020 APRA Corporate Plan elevated the improvement of cyber resilience across the financial system to one of the top four strategic priorities.
The perspective of adopting an “assumed breach” mentality – assuming that information and security defences will, at some point be compromised is key. Ensuring the systems and experienced personnel available to “repel the attack, re-secure the network and rectify any damage.”
This is not just lip service with APRA being formally advised of 36 incident notifications since July, 2019.
Some specific weaknesses APRA have noted (and will obviously be targeting) regarding cyber security maturity include:
- Basic cyber hygiene as an ongoing area of concern. This includes having systems for which the vendor is no longer providing support or security updates. The lack of a comprehensive security patching regime and poor access management practices are also common.
- Failure to define a complete inventory of their information assets and subsequently implement effective oversight where assets are managed by third parties. This includes both cloud-based services and traditional support arrangements.
- Immaturity in assessing and gaining assurance regarding the information security capability of third parties that manage information assets on FSIs behalf.
- Reliance solely on certifications or other forms of assurance provided by third parties without considering the sufficiency of the assurance these provide.
- Immaturity in the control of privileged access to systems. Handing over the “keys to the kingdom” and allowing access to information and systems without tight controls.
These weaknesses are all components of CPS234. Of interest is that APRA have reported that over 70 per cent of APRA regulated entities, self-assessed CPS 234 compliance gaps. Identification is obviously the first step. A plan of remediation with evidence of control effectiveness is key to gaining APRA’s confidence.
As an outcome APRA will be increasingly challenging entities by utilising data driven insights to prioritise and tailor extended supervisory activities. This will inform the creation of baseline metrics against which APRA regulated institutions will be benchmarked and held to account for maintaining their cyber defences. APRA will also be improving their own capability by increasingly utilising third party expertise.
APRA will be enforcing in a “constructively tough” manner.