Data breaches have marred Australian news in recent times. Large-scale incidents at Medibank health insurance, Optus and Latitude Financial Services have grabbed headlines and claimed tens of millions of Australians as unlucky victims.
Given this backdrop, it may not be a shock that an audit of Australian institutions has unearthed substantial weaknesses in their cyber resilience and security preparedness.
The audit, the first of four tranches to be conducted by the Australian Prudential Regulation Authority (APRA), aims to help regulated companies within the financial services industry patch glaring holes in their security strategies.
The verdict from the first tranche, however, was damning. It found that organisations struggle to meet cyber security expectations and, in many cases, have yet to implement the core requirements in the four years since CPS 234 standards were introduced. It highlighted six fundamental areas of weakness when assessed against the prudential standards.
The Role of APRA and CPS 234 within our financial system
APRA, Australia's prudential supervisor, shoulders the responsibility for maintaining stability, competitiveness, and efficiency in our financial system. It has the power to licence financial organisations, supervise the industry, and set and enforce prudential security standards to promote and achieve its goals.
In 2019, in response to increasing cyberattacks in the financial sector, APRA implemented CPS 234. The purpose of this prudential standard is to ensure that regulated financial entities, including banks, insurers, and superannuation trustees, are:
- resilient to cyber attacks;
- that they maintain an information security capability proportionate to their vulnerabilities and threats; and,
- that organisations respond promptly to an incident.
In an environment where cyber threats are escalating and attackers are becoming more sophisticated, financial institutions need to pay close attention to the audit findings or run the risk of joining the long list of headline-grabbing organisations following a breach.
The Audit Process Found Six Key Weaknesses Across Organisations
The APRA audit, part of its 2020–2024 Cyber Security Strategy, is the largest of its kind, aiming to cover more than 300 banks, insurers, and superannuation trustees by the end of 2023.
The audit scrutinised around a quarter of APRA's regulated entities in the first tranche of assessments. Unfortunately, the results mirrored the concerning gaps found in a small pilot completed in mid-2021. The audit exposed six common areas of weakness, shown in the diagram below, which fundamentally undermine an organisation's cyber resilience.
In response to these findings, APRA urged every entity to review the common weaknesses and the proposed recommendations to address their cyber security control and governance policy shortfalls.
"The APRA encourages every entity to review those common weaknesses, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies." - APRA
The regulator has also stated that it will continue to work with entities that do not sufficiently meet CPS 234 requirements, and it will further engage with the industry to lift the benchmark for cyber resilience.
These findings are crucial given the persistent threat to the finance sector and the highly-sensitive data that it safeguards
Four years since the inception of CPS 234, it’s deeply concerning that numerous financial services providers continue to struggle to meet cyber security standards. Many have yet to adopt the core requirements of the regulation, underlining a persistent and worrying gap between cyber security best practices and the harsh realities in the industry.
These findings are particularly alarming given that the finance sector consistently ranks second for cyber attacks in Australia, according to the OAIC notifiable data breach reports. The enormous volume of highly-sensitive information held by these institutions makes them a prime target for cyber attacks.
Considering these gaps, it's reasonable to assume they extend well beyond the companies already audited. Financial institutions in future tranches should heed these findings carefully. And it's not just the finance industry at risk - organisations in other sectors would benefit from assessing whether their cyber security strategy is exposed to the same vulnerabilities.
The APRA audit may have focused on financial institutions, but the lessons are universal - and urgently need to be heeded.
Below, we provide a summary of the common gaps following the phase of APRA audits as well as recommendations proposed by the APRA.
1. Incomplete identification and classification for critical and sensitive information assets;
“Without proper identification and classification, it can be difficult for entities to determine the appropriate information security controls to protect critical and sensitive data from unauthorised access or disclosure.” - APRA
- Asset classification policies are often unclear and incomplete;
- Asset registers aren't updated regularly, leading to inaccuracies; and
- Third-party managed assets aren't properly identified or classified.
- Consider the potential impact of a security compromise when defining asset classifications and criteria;
- Use an asset inventory for asset registration and relationship mapping; and
- Assign assets the highest criticality and sensitivity ratings from among their components.
2. Limited assessment of third-party information security capability;
"Achieving sufficient assurance of information security controls operated by third-party service providers is a common challenge. This is a concern as more and more entities are relying on service providers to manage critical systems." - APRA
- Third-party security assessment plans often lack scope or don't exist;
- Control effectiveness is unverified and based solely on third-party self-assessment;
- Testing evidence isn't retained; and
- Testing frequency doesn't match the assets' criticality and sensitivity.
- Identify assets managed by third parties and determine testing rigour;
- Understand third party control measures;
- Assess control effectiveness using various methods; and
- Promptly address the identified capability gaps.
3. Inadequate definition and execution of control testing programs;
"In many cases, the testing programs of entities are incomplete, inconsistent, lack independence and do not provide adequate assurance for management and the Board." - APRA
- A lack of information control assurance programs and plans, or inadequate key control coverage;
- Testing frequency doesn't match asset criticality and sensitivity;
- Testers aren't functionally independent;
- Testing criteria lack consistency; and
- Evidence to determine control effectiveness isn't retained.
- Adopt a variety of testing approaches;
- Define clear success criteria (including re-testing conditions); and
- Ensure testing is conducted by skilled, independent specialists without operational control responsibilities.
4. Incident response plans not regularly reviewed or tested;
"Information security incident response plans were found to be incomplete, lack regular testing and review." - APRA
- Incident response plans are often absent, not reviewed or untested;
- Third-party roles aren't clearly defined in incident management policy; and
- Incident response playbooks lack a range of plausible disruption scenarios.
- Entities must ensure their incident response plans (including those of third parties) are tested at least annually;
- Plans should cover a broad range of plausible disruption scenarios (e.g. malware infection, ransomware, data breach, DDOS attacks, APT attacks, breached credentials); and
- Plans should limit decision-making and clarify roles and responsibilities during an incident.
5. Limited internal audit review of information security controls;
"Internal audit activities must include a review of the effectiveness of information security controls, including those maintained by third parties. Findings from the assessment indicate that internal audit assessment of third-party information security controls is limited across the industry." - APRA
- Third-party security controls are rarely reviewed by internal audit, and
- Some auditors lack necessary information security skills for control testing.
- Focus audits on high-impact, low-reliance areas;
- Review third-party testing scope and quality to determine reliability; and
- Report any significant deficiencies or lack of assurance to the Board.
6. Inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.
"APRA must be notified of material incidents and control weaknesses in every entity’s cyber security system. The assessment found that the process to identify and define these for reporting to APRA is often inconsistent, unclear and, in some cases, not in place at all." - APRA
- APRA notification requirements are often omitted from policies;
- Third-party contracts don't require reporting of significant incidents to APRA;
- Criteria for identifying major incidents aren't clearly defined; and
- Procedures for timely reporting aren't established or enforced.
- Define clear governance processes for escalating incidents and providing timely notifications;
- Adopt multiple mechanisms to identify major control weaknesses, including control testing, assurance activities, incident notifications, vendor vulnerabilities, and third-party reports.
If you would like to learn more about what we are building at Onqlave to help protect sensitive data, follow our updates via LinkedIn, sign up to our newsletter or feel free to get in touch with any of our team.