The Australian Prudential Regulation Authority (APRA) is the regulator for Australia’s financial services industry and is charged with compliance and governance over all aspects of the industry. Financial services cover a wide range of business types, so when APRA announced their new cyber security standard, it raised the question as to how they can regulate whist ensuring they stay applicable to all these different business models. Let’s look at how this might work.
APRA has a wide remit to regulate consumer banks, business banks, insurance companies, investment banks, hedge funds and pension providers. Their announcement of a new cyber security standard that applies to all these business types was well received by the security community but poses several challenges that will need to be addressed. The paper entitled, Information Security Management: A new cross-industry prudential standard, shows their intent is to mandate this standard as soon as they have been through the consultation period, so it won’t be long until this becomes a reality for affected businesses.
APRA says these security measures will help their industry to stop cyber adversaries and uplift organisations’ cyber incident response capabilities to allow them to swiftly and effectively recover if they suffer a breach.
Can a Security Framework Work for the Finance Industry?
The standard, called CPS 234, requires all APRA-regulated entities do the following:
- Define information security roles and responsibilities of the organisation’s board of directors, senior management, governing bodies and individuals;
- The business maintains information security capabilities that are appropriate to the size, scale and extent of the threats to their assets;
- Commission cyber security controls capable of protecting the organisation’s assets, and, “undertake systematic testing and assurance,” regarding the effectiveness of those controls;
- Notify APRA of material information security incidents.
These controls are taken directly from other security standards, such as ISO 27001, so these countermeasures are not new (and certainly should not be to any organisation managing money). However, APRA sees the need to publish these standards as specific to their industry in Australia so that they can be enforced by themselves as the industry regulator – which makes a lot of sense. If APRA says that organisation must comply, and they have the power to shut them down if they don’t, then it’s more likely to work.
OpSec for the Finance Industry
Operational security, including the people, processes and technology that will help organisations, ” must become a focus for APRA governed organisations. This includes the mechanisms to detect cyber-attacks and respond to security incidents, which requires organisations to deploy the security controls needed to fortify their networks, systems and premises. The focus of a successful operational security capability typically becomes their Security Operations Centre (SOC), which can be standalone and in-house, or outsourced to a managed security service provider (MSSP) that has the expertise and toolsets to continually monitor and alert on potential threats (as well as respond to those attacks).
APRA’s standard defines the governance and technology requirements that organisations need to deliver (and by which they will be audited) and they can choose to build the solution themselves or engage an MSSP to deliver those requirements. However, the responsibility still remains with the APRA governed organisation, so it’s not a matter of transferring the risk to a third party, the risk remains in their own back yard – it’s just being managed by someone else, so they need to be smart about how they engage the service provider.
Before building or buying any technical solution, organisations also need to decide what needs protecting. Critical or confidential information, such as their own intellectual property, financial information and their customers’ personal information all need to be protected. Organisations need to audit themselves first to determine what needs to be kept safe and where that information is, so their security team (or MSSP) knows what needs to be monitored, otherwise the problem becomes too hard to deal with. Furthermore, profiling the threat actors that might target them is vital since security services should be tailored against the threat model affecting their business operations rather than monitoring and managing a range of generic threats.
It’s only when armed with this knowledge can an accurate solution be designed, based on managing the information security risks they face. A risk assessment focuses investment decisions in information security and deals with what’s important rather than blindly buying technology to stop unquantified and irrelevant threats.
Security Service Design and Transition
Start by auditing the security controls and processes the business already has. , to run their IT systems, change management processes already exist and employees will follow these when making change to their networks and infrastructure. As the information security programme rolls out, they should be tracking every change through their change approval board and each should be well-considered, designed and tested, then rolled-out with a backout strategy in case something goes wrong. This is all good practice and will help them deal with security change effectively. Furthermore, ITIL also includes the introduction of security management as a process, so it nicely builds on the foundation already in place since security management integrates with all the other IT Service Management processes.
How can CxO Security Help?
CxO Security operates as an MSSP, providing advisory services on all matters of cyber and information security. Our services can integrate with your business and ITSM models. Our team work within the constraints of your service management frameworks to holistically introduce security services that really make a difference . Our operational security team work 24x7 monitoring what’s important to your business and alerting your onsite team when a threat is found. CxO’s incident response team can also act on your behalf to contain and eradicate the threats you face, making sure you are kept safe from the effects of cyber-crime. For more information on how CxO Security can help you become APRA compliant please contact our team via the Contact Us page on the website.