In the first four months after the Australian Prudential Regulation Authority the CPS 234 Information Security came into effect on 1 July this year, ARPA has received 36 data breach notifications.
The standard, issued last year, declared that the boards of banks and other ARPA-regulated entities bear the ultimate responsibility for information security.
CPS 234 includes a requirement that an entity notifies the regulator if a security incident “materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers” or if other regulators have been notified of the incident.
In remarks prepared for CyBSA 2019 Cyber Breach Simulation Australia in Sydney, APRA executive board member Geoff Summerhayes said that many of the data breaches the organisation had been notified of involved the disclosure of personal information through human error (such as emailing a spreadsheet to the wrong address).
However others “involved a compromise of staff or customer credentials resulting in the unauthorised manipulation of records, website defacement and fraud”.
“It’s important to note that APRA’s regulated flock would have been subject to vastly more attempted cyber-attacks; these are just the ones that succeeded – and that we know about,” Summerhayes said. “With some cyber-incidents taking years to detect, it’s entirely possible that one of the banks, insurers or super funds has been compromised and we simply don’t know about it.”
The APRA board member said that the number of incidents from a reporting population of some 600 organisations “isn’t cause for undue alarm”. The regulator believes that the financial sector “broadly handles information security incidents well.”
However, Summerhayes said that APRA has seen a number of areas of common weakness across the sector, including “basic cyber hygiene”. That includes the use of end of life systems that no longer receive support or security patches from the vendor, shoddy patching regimes, and poor access management.
“Some institutions still haven’t developed a complete inventory of their information assets within their IT real estate or put in place effective oversight where part of that real estate is managed by third parties,” he said.
“This includes both cloud based services and traditional support arrangements, all captured by CPS 234. You cannot secure what you don’t understand and you are only as strong as your weakest link.”
Last year APRA released updated guidance on the use of cloud services by regulated entities. The regulator in its advice acknowledged the cloud service provider market and use of cloud services had matured significantly since it first formally addressed the issue in 2015.
Summerhayes noted today that CPS 234 required regulated entities to assess the security capabilities of third parties that manage information on their behalf.
“Some entities have responded to APRA’s requirements with a very ‘hands-on’ approach that may require some level of on-site inspection of third parties’ premises and regular service provider reports around their information security practices” he said.
“We’ll leave it to organisations to determine what approach is commensurate with the impact of a security compromise. However, it is not good enough to rely solely on certifications or other forms of assurance provided by third parties without considering the sufficiency of the assurance these provide in satisfying the requirements of CPS 234.”
That is particularly important because of efforts to compromise service providers as a first step to breaching enterprises.
APRA is reviewing its existing outsourcing standard, CPS 231, and will “have more to say about service provider management,” Summerhayes said.
He also revealed that APRA is investing in its capacity to assess the cyber resilience of organisations it regulates.
“We’ll improve our cyber incident response capabilities to support institutions to recover from an incident as well as ensure our ability to enact the Financial Claims Scheme is not compromised,” Summerhayes said.