APRA sends a serious message on cyber-security – and now with added regulatory bite

By Meg McKechnie, Lex Burke
28 Nov 2019
APRA says its regulated entities must act on the basis that their information security defences will be compromised by a cyber-adversary, and must be ready to repel the attack, re-secure the network and rectify any damage – but a recent survey reveals 70% have gaps.

These days it’s no longer a question of whether your company will be hacked – sooner or later, every corporation large or small will suffer some form of outside penetration. In many cases it wasn’t about theft of money but about theft of the private and sensitive data of thousands of people which are taken and aggregated on various dark web lists for sale and ultimately used for criminal purposes.

Given the large amounts of sensitive data held by the entities it regulates, APRA created a new guideline to take the fight to another level. The updated APRA Prudential Standard CPS 234 Management of Information and Information Technology, which came into effect in July, and the elevation of cyber resilience in its updated Corporate Plan to one of its top four strategic priorities, are the regulator’s signal that the days of the “tick box, set-and-forget approach to security” have ended. Super funds, deposit-taking institutions, general insurers as well as life and health insurers will now need to actively prove the robustness of their systems and the efficacy of their cyber risk management both internally and outsourced.

But are they listening to this message? According to Geoff Summerhayes, a recent survey of APRA regulated entities revealed 70% assessed themselves as having gaps in their CPS 234 compliance:

"In the four months since CPS 234 came into force, APRA has received 36 incident notifications. Many of those were data breaches involving the disclosure of personal information as a result of human error (such as “accidental’ disclosure where an employee emailed a spreadsheet externally which included customer information). Others, more ominously, involved a compromise of staff or customer credentials resulting in the unauthorised manipulation of records, website defacement and fraud. It’s important to note that APRA’s regulated flock would have been subject to vastly more attempted cyber-attacks; these are just the ones that succeeded – and that we know about. With some cyber-incidents taking years to detect, it’s entirely possible that one of the banks, insurers or super funds has been compromised and we simply don’t know about it."

With third party vulnerabilities the growing target for cyber-attackers, this is particularly concerning. In this article, we'll look at the basics of APRA's current regulatory stance, and the key areas and actions you can focus on to avoid being one of the 70%.

APRA Prudential Standard CPS 234 Information Security: the buck stops here

CPS 234 sets out minimum standards for managing information security and clearly calls out where the buck stops, placing ultimate responsibility for information security with company boards. It will, in many cases, demand a broader acknowledgment of the threat – and a more nuanced response to it. The board needs to show greater awareness of a company’s cyber defences and what must be done to contain it.

There is a raft of expectations imposed by this standard:

  • a company’s security capabilities must keep up with threats as they evolve;
  • there has to be clear design and implementation of controls which can be tested effectively by a third party; and
  • much tighter incident response times, including notification to APRA of both actual breach incidents and control weaknesses.

The changes to controls are expected to be commensurate with the size of a potential threat, the damage it could do, what is at stake and what the threat environment is. With life and health insurers in particular, it is clear that information privacy goes far beyond simply financial data – data theft can be life-threatening.

APRA is not necessarily asking for the highest form of cyber control for every entity. It is asking for a far more intelligent and wide-ranging oversight of potentially exposed data assets – in essence how effectively a company contains, analyses and reports the breach.

At a more granular level, many of the nice-to-haves from previous, more innocent, times are in effect mandatory, as Mr Summerhayes said:

"An essential cyber security principle is to ensure personnel are granted the minimum access required for their duties. Controls such as multi-factor authentication for users when they perform a privileged action (including accessing an important data repository) should also be the norm not the exception, providing an important safeguard against credential theft."

For companies which use outside service providers for security – particularly SMEs which are less able to allocate adequate resources to cyber security – the new data standard requires you to know enough about what your agreement is with the provider and what due diligence is done on contractors. That will be augmented by the results of APRA's current review of its existing standard on outsourcing, CPS 231

APRA is not going to be set-and-forget about CPS 234; its plans for “constructively tough” enforcement include:

  • moving to independent assessment of CPS 234 compliance;
  • using data-driven insights to prioritise and tailor its supervision;
  • creating baseline metrics for assessing compliance; and
  • potentially using third parties for helping it with deeper assessments.

Vulnerabilities that APRA-regulated entities should be addressing

Vulnerabilities are wide and varied, they are not always technical and not always obvious. You have to take a holistic approach looking at people, processes and technology. A member of a company is often targeted by attackers who are willing to use phone, email, and malware simultaneously to get a team to sign off on a transaction.

While the majority of data breaches are malicious, a large minority relate to neglected databases which look like unlocked, unguarded safes to the experienced cyber criminal. APRA is trying to ensure that those unlocked safes are brought back into the security fold, and that personnel proactively manage the threat.

There are some clear areas where APRA-regulated businesses are vulnerable:

  • Culture: payment controls or similar may be in place, but if personnel become too relaxed they will miss important details in relation to security.
  • Email systems in general, infrastructure – and weak policy: digital “accidents” are on the rise, with a misconfiguration can release data to thousands of people. Seconds or minutes are often enough time for a third party to find the information and abuse it.
  • Accidents will happen: these can include developers using production data on the global software development platform Github; application teams putting a database out to the world without a firewall; or even the simple mistakes – someone emailing the wrong person or leaving an unencrypted hard disk in a taxi or airport.

Dealing with the threat of cyber-attacks: Contain, analyse, report

Although each entity must have an individual approach to cyber-security that reflects its own circumstances, we've found in our work with various organisations that there are five basic areas you should be focusing on getting right as a minimum:

  • End-to-end incident response services: this begins with making sure you are prepared to respond to a potential attack and capture the appropriate information to investigate a breach. In the case of a breach, it means assistance in investigating the attack and classifying the types of information that were taken. After the conclusion of a response, you should be left with a system that is more resilient to cyber-attack.
  • Cyber incident simulations for C-Suite and technical staff: this is about testing how your plans will work in a real life situation without the risk, but still getting the benefits of identifying the gaps in your processes, technology, and people.
  • Threat intelligence and monitoring: this involves understanding the unique threats to your industry from both external and internal threats. Many attacks can be prevented or foiled using an intelligence lead approach. For example, we collect data on how attackers operate and keep up to date with cutting edge scams and tactics, as well notifying our users when their personal information is discovered out in the wild.
  • Security and legal advice: this is about understanding your legal obligations to both regulators and your clients, such as contractual liability, agreed service levels, and responsibilities between yourself and your vendors. Maintaining a holistic relationship between your legal and security functions is the desired outcome.
  • User awareness training: this is more than the basics of how to detect phishing emails. For example, we've been taking learnings from recent incident response investigations to keep staff and our clients aware of how current cyber-attacks are being conducted by threat actors. Your staff are often your first line of threat identification and defence.
Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.