An increase in the risk of cyber security brings an increase in the publicity surrounding the issue and the regulations governing it. This year we have already seen a number of new regulations coming into effect that will impact the majority of both Australian and international organisations.
In March 2018, the Australian Prudential Regulation Authority (APRA) released a dedicated draft prudential standard for cyber security. The aim of this draft prudential standard, known as Information Security CPS234, is to ensure that financial institutions are keeping their IT environments and systems secure against cyber risks. The release of this draft prudential standard is very important as it is sure to become published, and as a result will be a legally binding standard from the 1st of July, 2019 onwards.
CPS234: OBJECTIVES & REQUIREMENTS
The key objectives and requirements of this draft prudential standard include:
• Minimising the likelihood and impact of an information security incident;
• Ensuring that APRA regulated entities take the correct measures to become resilient against cyber security events;
• Having a set of clearly defined IT Security related roles and responsibilities for all of the following:
– Senior management,
– Governing bodies, and
• Clearly defining and documenting the information security capability and policy framework;
• Implementing controls which protect data assets and are subject to systematic testing and assurance for effectiveness;
• Ensuring robust mechanisms are in place to detect and respond to cyber incidents in a timely manner; and
• Ensuring notification is given to APRA for all material information security incidents within 24 hours.
Ultimately, APRA are putting the responsibility of information security in the hands of the boards. They are looking to ensure that the boards can maintain their data assets in a way that is commensurate with the size and extent of threats, while still allowing for the continuous operation of their entity/entities.
DOES CPS234 APPLY TO ME?
Now that we know the key objectives and requirements of this draft prudential standard, it’s important to consider whether or not this will be applying to you. Once published, this prudential standard will apply to the following entities:
• Building societies,
• Credit unions,
• Friendly societies,
• General insurance and reinsurance companies,
• Life insurance companies,
• Private health insurers, and
• Most members of the superannuation industry.
“If your framework does not yet cover the requirements of this draft prudential standard, then you have more than enough time to assess and remediate your current controls and framework before the 1st of July, 2019.”
CPS234 APPLIES TO ME, NOW WHAT?
If this prudential standard will be applying to you and your organisation, it’s best to understand the requirements and perform a gap analysis against your current cyber security governance framework.
If your framework does not yet cover the requirements of this draft prudential standard, then you have more than enough time to assess and remediate your current controls and framework before the 1st of July, 2019.
KNOW YOUR DATA
The main focus of this draft prudential standard is to protect the data that comes through your environment. This data could be coming through many different channels and stored by either hard or soft copy.
It is very important to understand and know your data perimeter:
• Where it is stored,
• The type of data that is coming through and being stored, and
• Who has sufficient access to the data to be able to accurately and appropriately build the right security controls.
Tulin is a strategic thinker and cyber risk management specialist with experience in public and private sectors. Tulin has held senior positions with Commonwealth Bank, Westpac, Optiver and Deloitte. Whilst Tulin’s working experience spans enterprise risk management, business continuity, risk culture analysis, project management, issues management, IT audit, data analytics, internal audit and external audit, Tulin specializes in cyber risk management including cyber risk threat analysis, prevention, control and assurance.