APRA embraces an ‘assume breach’ mentality with CPS 234
Even if you're not in the financial services industry (FSI), you've probably already heard of CPS 234 – the new standard for data protection set forth by the Australian Prudential Regulation Authority (APRA). The overarching goal of CPS 234 is to improve the cyber resilience of APRA-regulated organisations who face threats like payment and card fraud, attacks on critical infrastructure, mobile app vulnerabilities, and the like – in fact, according to NTT, 26% of global cyberattacks target the financial services industry and, interestingly enough, Australia is the source country for 66% of attacks in the finance sector across the entire Asia-Pacific region.
The point is that the cyber landscape has become incredibly complex and sophisticated over the past few years, which is why the Royal Commission released its report in February that identified significant failings in the financial sector along with recommendations on how to fix them. The resulting objective is to strengthen regulation and supervision of financial institutions. APRA made a formal response to the Royal Commission's report stating its “full suite of recommendations provide a significant opportunity to substantially improve the financial system in Australia”.
Needless to say, the Commission looms large over APRA's first cybersecurity regulation of the finance industry and while the underlying objectives of CPS 234 are not only to protect Australian citizens from further abuses in the financial sector, it provides regulations and an overall roadmap by which these institutions will become much more transparent, accountable, and secure.
Breaches are a question of when, not if
Back in November of last year, APRA released the final version of CPS 234, and from a cybersecurity standpoint, it highlighted some key requirements such as:
- Clearly defining information-security roles and responsibilities
- Maintaining an effective security capability that can handle the size and scale of threats
- Implementing controls to protect sensitive data and information while regularly testing for their effectiveness
- Notifying APRA of any security incident as quickly as possible
What was notable about this announcement is that an APRA board member stated “a significant security breach at an APRA-regulated entity is almost certainly a question of when – not if.” While it was just a mention, it indicates a significant shift in approach to cybersecurity – it's what's known in the industry as an ‘assume breach' mentality. At its core, this means organisations, companies, and institutions should restructure their cybersecurity strategies and policies in a way that will be effective when they are breached, versus trying to protect the perimeter against all odds.
When you assume breach, you realise that sooner or later even the best perimeter defenses will fail. The value of this mindset is that it allows you to think like a hacker or malicious actor so you can ask yourself two questions:
- What are the high value assets – private, sensitive, and/or mission-critical data – that an attacker will target once they find a way into the network?
- What security measures are currently in place to prevent the free, lateral movement of an attacker within the network (which have become flat with increased connectivity of apps and devices)?
If these two questions can't be answered clearly then immediate steps need to be taken to be able to do so by 1 July when CPS 234 takes effect.
Where to start your cybersecurity journey
For those who may be looking for a place to start their journey, here's a three part process to success with CPS 234:
- Collaborate and create ownership internally – the standard is aimed at cybersecurity, but the reality is that compliancy doesn't necessarily fall solely to the security team's hands. There will almost certainly be a broad range of business units (BUs) that will be affected so key stakeholders and leadership teams need to sit down and have a conversation – break down internal silos and make sure everyone understands the regulation's implications. The focus on collaboration reflects a global trend where security is no longer the responsibility of the “security team” but rather the whole organisation.
- Understand where CPS will apply – there is a big focus on protecting the ‘crown jewels' of an organisation, but you can't protect what you can't see. Knowing where in a network critical data sits and how it is connected to other servers is critical for protection and also providing transparency for auditors. This is where vendors and partners can truly shine, allowing organisations to have the insights they need to comply fully.
- Find the solution that fits specific needs – the process of testing and demonstrating compliance needs to be as simple and predictable as possible. Organisations need to identify a cybersecurity solution that will satisfy auditors so consider segmentation technology, which falls in line with an assume breach mentality by compartmentalising and isolating threats once they're inside and provides protection should a breach happen behind the perimeter firewall.
CPS 234: A big step in the right direction
This will not be the one and only cybersecurity regulation for the FSI industry to tackle. With a new focus from regulators on lifting the security practices of the whole sector, we need to move the conversation on from piecemeal regulatory compliance.
This can be achieved by adopting a cybersecurity framework that defends commensurate with what's being expected in standards. The best and most effective security approach for enterprises is what has been coined Zero Trust where organisations should not, by default, trust anything inside or outside the network perimeter and instead verify anything and everything that's trying to connect before giving it access. Zero Trust has become a model for effective security by localising and isolating threats through micro-segmentation technology that applies policies to individual workloads for greater attack resistance.
Zero Trust is a framework that covers everything from user access, defending external networks and internal networks as well. Visibility enables defenders to see threats moving laterally inside a network, as attackers adapt their tactics to target the weakest points in the network, bypassing traditional perimeter defence solutions entirely.
CPS 234 is an effort that should be applauded and welcomed by the citizens of Australia. Broad-reach regulations such as CPS 234 are the ‘rising tide that lifts all boats', ensuring an organisation's – and ultimately each individual's – vital data is secure. We can't lose sight of the ultimate, underlying goal here: to ensure the integrity of our financial institutions for years to come despite the increased sophistication and complexity of today's ever-evolving cyber landscape.