Article by Illumio's vice president of Asia Pacific, Rob van Es
Even if you’re not in the financial services industry (FSI), you’ve probably already heard of CPS 234 – the new standard for data protection set forth by the Australian Prudential Regulation Authority (APRA). The overarching goal of CPS 234 is to improve the cyber resilience of APRA-regulated organisations who face threats like payment and card fraud, attacks on critical infrastructure, mobile app vulnerabilities, and the like – in fact, according to NTT, 26% of global cyberattacks target the financial services industry and, interestingly enough, Australia is the source country for 66% of attacks in the finance sector across the entire Asia-Pacific region.
The point is that the cyber landscape has become incredibly complex and sophisticated over the past few years, which is why the Royal Commission released its report in February that identified significant failings in the financial sector along with recommendations on how to fix them. The resulting objective is to strengthen regulation and supervision of financial institutions. APRA made a formal response to the Royal Commission’s report stating its “full suite of recommendations provide a significant opportunity to substantially improve the financial system in Australia”.
Needless to say, the Commission looms large over APRA’s first cybersecurity regulation of the finance industry and while the underlying objectives of CPS 234 are not only to protect Australian citizens from further abuses in the financial sector, it provides regulations and an overall roadmap by which these institutions will become much more transparent, accountable, and secure.
Breaches are a question of when, not if
Back in November of last year, APRA released the final version of CPS 234, and from a cybersecurity standpoint, it highlighted some key requirements such as:
What was notable about this announcement is that an APRA board member stated “a significant security breach at an APRA-regulated entity is almost certainly a question of when – not if.” While it was just a mention, it indicates a significant shift in approach to cybersecurity – it’s what’s known in the industry as an ‘assume breach’ mentality. At its core, this means organisations, companies, and institutions should restructure their cybersecurity strategies and policies in a way that will be effective when they are breached, versus trying to protect the perimeter against all odds.
When you assume breach, you realise that sooner or later even the best perimeter defenses will fail. The value of this mindset is that it allows you to think like a hacker or malicious actor so you can ask yourself two questions:
If these two questions can’t be answered clearly then immediate steps need to be taken to be able to do so by 1 July when CPS 234 takes effect.
Where to start your cybersecurity journey
For those who may be looking for a place to start their journey, here’s a three part process to success with CPS 234:
CPS 234: A big step in the right direction
This will not be the one and only cybersecurity regulation for the FSI industry to tackle. With a new focus from regulators on lifting the security practices of the whole sector, we need to move the conversation on from piecemeal regulatory compliance.
This can be achieved by adopting a cybersecurity framework that defends commensurate with what’s being expected in standards. The best and most effective security approach for enterprises is what has been coined Zero Trust where organisations should not, by default, trust anything inside or outside the network perimeter and instead verify anything and everything that’s trying to connect before giving it access. Zero Trust has become a model for effective security by localising and isolating threats through micro-segmentation technology that applies policies to individual workloads for greater attack resistance.
Zero Trust is a framework that covers everything from user access, defending external networks and internal networks as well. Visibility enables defenders to see threats moving laterally inside a network, as attackers adapt their tactics to target the weakest points in the network, bypassing traditional perimeter defence solutions entirely.
CPS 234 is an effort that should be applauded and welcomed by the citizens of Australia. Broad-reach regulations such as CPS 234 are the ‘rising tide that lifts all boats’, ensuring an organisation’s – and ultimately each individual’s – vital data is secure. We can’t lose sight of the ultimate, underlying goal here: to ensure the integrity of our financial institutions for years to come despite the increased sophistication and complexity of today’s ever-evolving cyber landscape.