Compliance & Legislation | Operational resilience

August 23, 2023

It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? 

Clearly the common practice of unsubstantiated risk assessment and anecdotal reporting is inadequate and can only lead to misplaced confidence and hidden cyber gaps.

Recent reports have emerged suggesting that Australian financial organisations may be willing to “chance it” when it comes to their cyber security.

In July 2023, APRA published the initial findings of its Information Security Prudential Standard CPS 234 compliance audit of banks, insurers and superannuation trustees. The results are concerning.

  • Incomplete identification and classification of critical and sensitive IT assets
  • Limited assessment of third-party information security capabilities
  • Inadequate definition and execution of security control testing programs
  • Lack of incident response plan testing and review
  • Limited internal audit reviews of information security controls
  • Inconsistent reporting of material incidents and control weaknesses to APRA, in a timely manner.

Some of these “gaps” go directly to the operation of the cyber security governance process and the need for operational resilience. It’s certainly right that regulators continue to remind directors about their responsibilities for cyber security and oversight. But these reminders appear to have had limited effect in the past. Given last year’s cyber-annus horribilis, cyber governance, as part of an organisation’s operational risk management, is a priority. Emerging requirements such as APRA’s CPS230 underline this.

In late June 2023, the Australian Bureau of Statistics (ABS) published a report on Characteristics of Australian Business 2021-2022, which alarmingly found that as few as 20% of Finance and Insurance Services businesses had upgraded their cyber security software, standards or protocols in the last year. That, despite 57% of the sector actually experiencing some sort of impact from a cyber incident during the period.

What does this say about our cyber security intent?

It’s likely that the security gaps being observed in the finance sector are due to a lack of investment in cyber security systems and processes, and a lack of appreciation for the dynamic and evolving nature of cyber resilience. This lack of investment in cyber security software, standards and protocols points to cyber resilience improvement being a long way off.

One reason progress in cyber security is so slow is its complexity. In the UK the National Cyber Security Centre (NCSC) suggested recently that the job is bigger than many organisations think, “data flows have ballooned… and the cyber security landscape has become even more complex.” Effective cyber security now means regularly dealing with complex modern IT systems; with cyber security management practices that are no longer adequate. And the persistent hostile threat environment, is making it harder to deliver improved cyber resilience at speed and scale. Cyber security is quickly becoming a data analysis problem.

Effective cyber security risk management means all-in

Cyber risk management practices of many organisations are rightfully based on their own perceived levels of exposure, suitability of controls and risk appetite – that’s the whole idea. The problem, however, is when the absence of suitable and reliable cyber security assessment process means organisations can’t be confident about their security level or that of their potential business partners. Without a recognised system or standard “measure” to confirm an organisation’s relative levels of cyber resilience, it all gets too vague. And in an interconnected world this can quickly translate into systemic risk.

For that reason, organisations need to incorporate current cyber risk management and industry best practices into their cyber governance and operational resilience processes. Fundamentally, they need clear visibility of their digital assets and to be able to identify any gaps that emerge in the security controls that protect them. APRA’s Prudential Practice Guide CPG 234 actually recommends that organisations “actively maintain an information security capability” that addresses “changes in the vulnerability and threats” environment.  It continues, they should be guided by “established control frameworks and standards.”

The new APRA CPS230 requirements on operational risk management, due to come into force in 2025, reinforce this need to manage cyber security risks and report on control effectiveness both inside the business and in its supply chain. Vulnerabilities and the threat environment are clearly exploding; and principle-based security approaches without the inclusion of established control frameworks to instruct and guide the operational management of cyber security, is likely inadequate in the current and future risk environment.

What is worse than a security control gap? A cyber-iceberg

The upside of the security gaps identified by APRA, is they’re now reported to risk stakeholders and their prognosis for mitigation is good. Without rigorous and systematic risk assessments or evidence-based processes, like the ones undertaken by APRA, these serious vulnerabilities would have remained like an armada of cyber icebergs, invisible to the organisations’ customers, their business partners and the regulator itself.

In late 2022, The Cyber Security Industry Advisory Committee, in its annual report to the Australian Government, recommended that a systematic empirical, data-driven cyber security maturity measurement system be adopted nationally. A system that provides a true and accurate (maturity level) measure of the cyber resilience of organisations and the wider economy. Driven by concerns about the reliability and accuracy of widely-used anecdotal assessment methodologies (and the potential for cyber gaps we’ve spoken about), it sought to address the need for better quality evidence-based risk assessment practices and greater confidence in cyber resilience measurement.

In that same year, the Australian Cyber Security Centre (ACSC) published an Essential Eight Assessment Process Guide to accompany its tested and proven ACSC Essential Eight Cyber Security Maturity Model. For the first time, the guide recommended the use of evidence-based cyber security assessment techniques to more reliably measure cyber resilience. Moving beyond recommended security controls, it highlighted the importance of:

  • the quality of a cyber resilience assessment;
  • reliable evidence of control effectiveness, and
  • the confidence levels of that evidence to verify those assessments.

The Guide prioritised the importance of quantitative assessment and objective evidence over subjective interviews, questionnaires and intuition – the very places where invisible gaps can lurk.

The ACSC Essential Eight Maturity Model is a broad ranging security framework recommended and maintained by the ACSC. Its detailed schedule of controls means it can be used as a check-list to selectively guide your cyber security efforts. Importantly, it is ideally suited as the framework for automated data-driven control measurement processes to reliably evidence and report your cyber resilience.

Interestingly, the UK’s NCSC, recently made similar pronouncements when it favourably contrasted the reliability of quantitative data-driven cyber security assessment with less reliable anecdotal or intuition-based methods. Using empirical information to support evidence-based decision making, it argued, will transform cyber security management efforts. These data-driven techniques also better address the growing speed and scale requirements of cyber security assessment and reporting.

Data-driven empirical analysis for evidence-based cyber security decision making

How cyber security gaps are to be identified in the future is key to how organisations effectively navigate the threat environment into the future. It took a robust audit process for APRA to identify the very real threats lurking under the surface in their sample cohort. With these sorts of gaps potentially lurking wherever subjective questionnaires or unsupported anecdotal cyber security assessments are undertaken; what is the process to limit cyber gaps into the future?

Stakeholders at every level are seeking greater confidence in the cyber maturity levels of their supply chain. Zero trust principles – designed to eliminate implicit digital trust – speaks very much to the demand for a greater level of confidence in the cyber risk controls in place to protect our systems and ultimately our core assets. The adoption of accessible systematic and objective cyber resilience measurement is needed to limit the moral hazard being created by those employing less diligent cyber security practices.

There’s talk of more informed cyber security assurance processes, ones that examine any evidence for the purpose of providing an independent, and objective assessment of risk. That’s a start of course, but without a systematic scientific process to verify that evidence, “the exchange rate for a cyber risk” is different for each of us. It’s the steps that remove subjectivity and cognitive bias and replace it with timely empirical measurement that will deliver a trusted basis for cyber security decision making.

It’s essential that all organisations identify and close these cyber gaps quickly before they become an undisclosed liability for themselves and 3rd parties. Performing these tasks accurately will transform cyber security risk management practices everywhere and maintain the APRA objective of currency of cyber security capabilities.

Effective cyber security is all about managing the detail within all the noise. Systems are complex, skilled staff are hard to attract and retain, data volumes are growing and you’re looking to protect every last potential point of unauthorised access. Gaps are a problem, and current cyber security practices are not a guarantee of your ongoing cyber resilience – especially if they are built on subjective judgments or imprecise standards. 

Our intention has been to make some observations and comments about what is starting to look and feel more like a cyber-iceberg than just some gaps. If you’re charting a cyber security strategy and want to avoid your own iceberg, please contact us to learn more about our data-driven applications that digitally report your cyber resilience.

Cyber Security Reporting for Directors and Executives

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.