Story image

APRA Prudential Standard CPS 234: How to communicate with the board

05 Dec 18

Article by Tenable country manager A/NZ, Bede Hackney.

It has been a whirlwind year for the Australian financial services sector, from the banking Royal Commission to the introduction of challenger banks and Open Banking. Now, regulators are shoring up the security of the industry by making organisations adhere to a cybersecurity prudential standard. The Australian Prudential Regulation Authority’s (APRA) standard, CPS 234, is aimed at minimising the threat of cyber attacks for APRA-regulated entities by requiring that they implement measures to increase resilience against information security incidents, imposing specific reporting obligations.

Financial institutions are racing to keep up with customer demand for tech-savvy and efficient services that conveniently fit into their digital lives. These expectations have forced financial institutions to compete as digital businesses, delivering tailored services which can be accessed 24 hours a day from any device. This imperative to transform leaves banks exposed, with many struggling to plug vulnerability gaps across their environments, making the sensitive financial information they store an easy and high-value target for cybercriminals.

The rise in high-profile data breaches and cybercrime, coupled with increased regulation, are prompting corporate boards to pay closer attention to their organisation’s security practices. While the topic of cybersecurity is no longer a conversation reserved for security teams, organisational policies need to continuously adapt to ensure the board remains informed about how Cyber Exposure gaps are being identified and addressed.

From 1 July 2019, the boards of banks and other entities regulated by APRA will be held more accountable following cyber incidents, so it's important that they understand where they are exposed, current threats and effective remediation processes.

While organisations won’t be expected to meet the requirements of the CPS 234 standard until mid next year, having active conversations with the board about how to prioritise cyber risk should begin now. Providing a clear overview of imminent security threats can be challenging, with the number of vulnerabilities rising each year. The Vulnerability Intelligence Report from Tenable revealed that enterprises deal with an average of 870 unique vulnerabilities a day, with more than 100 of these considered to be critical. Despite the best efforts of security teams, breaches resulting from unpatched vulnerabilities serve as a constant reminder of the never-ending cycle of risk. 

CPS 234 notes that “an APRA-regulated entity must maintain its security information capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment”. For CISOs, this means they must design and build a robust vulnerability management strategy to meet the organisation's specific needs. 

For all organisations, not just those operating in the financial services sector, the board should understand which security efforts have been deployed to lower organisational risk and where to invest resources to ensure a quantifiable return. 

Understand the problem

CPS 234 outlines that organisations must seek to classify assets, including those managed by related parties and third parties, by criticality and sensitivity, based on the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers. 

For security teams, this can be challenging to address — the ever-evolving attack surface has given rise to an unrelenting barrage of vulnerabilities, making it harder to prioritise which threats pose the greatest risk. Traditional vulnerability management techniques, such as quarterly scans and/or targeting critical systems alone, are antiquated and ineffective. 

Organisations’ willingness to digitally transform has also created complex IT environments requiring constant visibility. Daily workflows are no longer solely controlled by organisations, with employees connecting new devices and applications to the network without the express permission of IT. This has created a security blind spot, exposing critical systems and sensitive data.

We’ve moved beyond the era of traditional vulnerability management into a new realm of cyber exposure — an emerging discipline for managing and measuring cybersecurity risk in the digital era. By breaking down cyber risk by asset and business context, vulnerability and threat context, this new framework can help security teams better understand and act on cyber risk at all levels within the organisation.

Mapping cyber exposure allows security teams to better understand where all assets are exposed and to what extent, allowing them to prioritise remediation efforts based on the level of business risk. The ability to prioritise threats helps identify the areas which require immediate attention and where additional investment can boost security efforts and lower risk. This complete level of visibility is an invaluable tool when having discussions at the board level about how exposed an organisation is. 

Keep the board informed

How can you best communicate cyber risk to the board? Keep it simple. Not all executives are well-versed in IT security jargon. Clearly communicate what the issue is, how it puts the business at risk and the most effective way to reduce it in business terms. Engagement is key. CPS 234 outlines a requirement to report a security incident within 72 hours, making response processes critical. A mature Cyber Exposure program will help businesses detect and respond to security incidents in a timely manner. 

While the CPS 234 standard won’t come into effect until mid-2019, it shouldn’t be the sole catalyst for updating your vulnerability management practices. Maintaining an open dialogue with your board and educating them on the threats organisations face will go along way in ensuring you have the resources you require to maintain a robust security posture.

25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
How to keep network infrastructure secure and available
Two OVH executives have weighed in on how network infrastructure and the challenges in that space will be evolving in the coming year.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.