APRA Prudential Standard CPS 234: How to communicate with the board
It has been a whirlwind year for the Australian financial services sector, from the banking Royal Commission to the introduction of challenger banks and Open Banking. Now, regulators are shoring up the security of the industry by making organisations adhere to a cybersecurity prudential standard. The Australian Prudential Regulation Authority's (APRA) standard, CPS 234, is aimed at minimising the threat of cyber attacks for APRA-regulated entities by requiring that they implement measures to increase resilience against information security incidents, imposing specific reporting obligations.
Financial institutions are racing to keep up with customer demand for tech-savvy and efficient services that conveniently fit into their digital lives. These expectations have forced financial institutions to compete as digital businesses, delivering tailored services which can be accessed 24 hours a day from any device. This imperative to transform leaves banks exposed, with many struggling to plug vulnerability gaps across their environments, making the sensitive financial information they store an easy and high-value target for cybercriminals.
The rise in high-profile data breaches and cybercrime, coupled with increased regulation, are prompting corporate boards to pay closer attention to their organisation's security practices. While the topic of cybersecurity is no longer a conversation reserved for security teams, organisational policies need to continuously adapt to ensure the board remains informed about how Cyber Exposure gaps are being identified and addressed.
From 1 July 2019, the boards of banks and other entities regulated by APRA will be held more accountable following cyber incidents, so it's important that they understand where they are exposed, current threats and effective remediation processes.
While organisations won't be expected to meet the requirements of the CPS 234 standard until mid next year, having active conversations with the board about how to prioritise cyber risk should begin now. Providing a clear overview of imminent security threats can be challenging, with the number of vulnerabilities rising each year. The Vulnerability Intelligence Report from Tenable revealed that enterprises deal with an average of 870 unique vulnerabilities a day, with more than 100 of these considered to be critical. Despite the best efforts of security teams, breaches resulting from unpatched vulnerabilities serve as a constant reminder of the never-ending cycle of risk.
CPS 234 notes that “an APRA-regulated entity must maintain its security information capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment”. For CISOs, this means they must design and build a robust vulnerability management strategy to meet the organisation's specific needs.
For all organisations, not just those operating in the financial services sector, the board should understand which security efforts have been deployed to lower organisational risk and where to invest resources to ensure a quantifiable return.
Understand the problem
CPS 234 outlines that organisations must seek to classify assets, including those managed by related parties and third parties, by criticality and sensitivity, based on the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers.
For security teams, this can be challenging to address — the ever-evolving attack surface has given rise to an unrelenting barrage of vulnerabilities, making it harder to prioritise which threats pose the greatest risk. Traditional vulnerability management techniques, such as quarterly scans and/or targeting critical systems alone, are antiquated and ineffective.
Organisations' willingness to digitally transform has also created complex IT environments requiring constant visibility. Daily workflows are no longer solely controlled by organisations, with employees connecting new devices and applications to the network without the express permission of IT. This has created a security blind spot, exposing critical systems and sensitive data.
We've moved beyond the era of traditional vulnerability management into a new realm of cyber exposure — an emerging discipline for managing and measuring cybersecurity risk in the digital era. By breaking down cyber risk by asset and business context, vulnerability and threat context, this new framework can help security teams better understand and act on cyber risk at all levels within the organisation.
Mapping cyber exposure allows security teams to better understand where all assets are exposed and to what extent, allowing them to prioritise remediation efforts based on the level of business risk. The ability to prioritise threats helps identify the areas which require immediate attention and where additional investment can boost security efforts and lower risk. This complete level of visibility is an invaluable tool when having discussions at the board level about how exposed an organisation is.
Keep the board informed
How can you best communicate cyber risk to the board? Keep it simple. Not all executives are well-versed in IT security jargon. Clearly communicate what the issue is, how it puts the business at risk and the most effective way to reduce it in business terms. Engagement is key. CPS 234 outlines a requirement to report a security incident within 72 hours, making response processes critical. A mature Cyber Exposure program will help businesses detect and respond to security incidents in a timely manner.
While the CPS 234 standard won't come into effect until mid-2019, it shouldn't be the sole catalyst for updating your vulnerability management practices. Maintaining an open dialogue with your board and educating them on the threats organisations face will go along way in ensuring you have the resources you require to maintain a robust security posture.