Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
APRA CPS 234, the new Australian Prudential Regulatory Authority (APRA) Prudential Standard came into effect on 1st July 2019. The prudential regulator has warned businesses not to be complacent; 36 breach notifications have been received in the first four months of the new regime.
There is no doubt that the financial services organisations would have been targets of a much greater number of attempted cyber-attacks. APRA board member Geoff Summerhayes comments that:
“These are just the ones that succeeded – and that we know about. With some cyber incidents taking years to detect, it’s entirely possible that one of the banks, insurers or super funds has been compromised and we simply don’t know about it”.
Here are some key steps to simplify the enormous task of improving your organisation’s cyber resilience.
In order to develop a plan to build and maintain cyber resilience, organisations must first baseline their current status and establish any “compliance gaps”.
Worryingly, APRA noted that 70 per cent of regulated entities self-reported their “compliance gaps” against the new regulation. This is a big number, particularly given the subjective nature of any self-assessment.
The Australian National Audit Office (ANAO) found a similar level of cyber resilience across 14 non-corporate Commonwealth entities: only four entities (29 per cent) had complied with mandatory government requirements for information security. You can read the full report here:
The cyber security landscape is changing all the time, an environment can be compliant one day and exposed the next.
The number of breaches evidenced across the almost 600 APRA CPS 234 regulated entities in the past four months is not alarming in itself. However, as Mr Summerhayes says, it reveals “areas of common weakness” many of which APRA had “called out repeatedly”. “For example, we have identified basic cyber hygiene as an ongoing area of concern” he said.
APRA CPS 234 states that entities must maintain an information security policy framework and controls commensurate with the criticality and sensitivity of information assets and their exposure to vulnerabilities and threats.
A chosen framework needs to be both effective and practical; if you can’t implement it or monitor compliance with it, you won’t fulfil regulatory obligations. A systematic means of regularly measuring compliance against an effective security framework or set of controls is a good basis upon which to start.
The Essential Eight Framework, created by Australian Government, is a prioritised list of just eight key security controls organisations can implement to better protect their systems against a range of adversaries. The Australian Signals Directorate (ASD) found that when assessed to be operating effectively, the top four alone mitigate 85% of targeted cyber-attacks.
The APRA CPS 234 standard requires that an organisation must test the effectiveness of its information security controls through a systematic testing programme. It must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner. By utilising a recognised set lead indicators or security controls like the ACSC Essential 8 Framework your level of resilience can be regularly tested against your regulatory obligations.
Regulatory Technologies (RegTech) have emerged and evolved to monitor and report on the efficacy of important security controls. They can operate automatically and continuously to alert upon any changes in security controls status to provide your security team with the time critical information they need to investigate and resolve incidents. You can read more on RegTech in our blog post here: https://www.huntsmansecurity.com/blog/regtech-and-cyber-security-compliance/
The demands of the new standard don’t end with step 2. Entities are required to undertake audit activities that include reviews of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties. This is an enormous task for any organisation; that is why a systematic methodology for the measurement and reporting of resilience is so important.
As with step 2, testing of control effectiveness, RegTech can assist your organisation in fulfilling its requirements. The technology operates as an excellent tool for your security team to execute a systematic and objective cyber risk audit. The business can dynamically measure and understand its own cyber risk and free up enough time to do something about it. Moreover, you can use RegTech to audit the resilience of third party suppliers and establish a cyber trust index to identify resilient supply chain partners.
Your business’s cyber resilience can change quickly. It is no coincidence that regulatory bodies around the world are seeking greater transparency and timely risk information as to the cyber posture of regulated entities.
Cyber risk is becoming ubiquitous. By automating the monitoring and reporting of security control effectiveness organisations, particularly those operating critical infrastructure, can clearly visualise and report on their current cyber risk exposure while simultaneously targeting resources to resolve cyber issues that matter.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.