Amid the constant change of the recent past, one thing has remained certain for financial services institutions: they are under a sustained attack. In fact, the problem is only becoming more acute as cyber attacks on financial institutions continue to grow, spiking by 238% in 2020.1
Cyber attacks are on the rise across all industries, including critical infrastructure.
Cyber attacks cost Australian businesses $29 billion annually, according to the government.
56% of cyber and business executives say state-sponsored attacks on critical infrastructure are likely (PwC’s Digital Trust Insights).
As risks increase, regulators are expanding their efforts to help financial organisations boost their resilience. One example is the Australian Prudential Regulation Authority’s (APRA’s) increased focus on CPS 234, its first mandatory prudential standard for information security applying to all APRA-regulated entities.
At the core of the regulation are three key questions:
While many of those required to comply with this standard – including banks, super funds and insurers – have been busy implementing asset identification and protective measures since CPS 234 came into effect in July 2019, our experience with regulators and within the industry shows there may be more work to be done.
That’s why it’s important that organisations take steps now to boost their security posture and manage increasing levels of risk effectively.
The good news is that taking additional steps to ensure full compliance with CPS 234 will also put regulated entities in a strong position to comply with the forthcoming data management guidance, CPG 235.
As organisations look to boost security posture through CPS 234, it is important to do so with the next regulatory hurdle in mind – CPG 235, Managing Data Risk.
Among other recommendations, CPG 235:
A best practice plan should include:
An Information Security Strategy aligned to the overall IT strategy
An understanding of what your information assets are and where they are located
Board accountability for information security risks
An IT security governance forum or steering committee with representation from major business areas
Knowledge of third party relationships and awareness of how handling your information
An information security risk management framework aligned to the organisational risk management framework
Appropriate security mechanisms applied to critical and sensitive information assets
A structured assessment program for information security controls and security incident management
A regularly tested cyber security incident response plan
The baseline of cyber controls formalised by CPS 234 has been established to foster good security practices among financial institutions from the board down. Yet our experience shows both boards and regulators are increasingly concerned about rising risks.
APRA is scheduled to complete a pilot tripartite review program shortly, under which a sample of regulated entities are being subject to one-off tripartite independent cyber security-related reviews.
The key is to understand that the program isn’t about enforcement, but creating a compliant, resilient security posture has wider industry- and economy-wide benefits that can future-proof our organisations for the long-term.
PwC is well-positioned to work with organisations to spot and remediate any cyber exposures to achieve cyber resilience.
With experts close to the intention of CPS 234, CPG 235 and the regulatory process, PwC is able to review your compliance efforts to ensure alignment with the intent and the word of the standard.
This will be done with further regulatory developments in mind, including the transition of CPG 235 to CPS status. That means your work to meet these standards does duplicate effort or complicate future compliance initiatives.
Among other support, PwC can offer:
Our financial services security experts have deep technical experience and industry knowledge, including hands-on practice advising on CPS 234 compliance and defining and designing best practice programs. From the boardroom to the IT team, we bring together strategic insight and practical actions to meet, and exceed, regulatory requirements - and ultimately protect your business from cyber risk.
1 Australian Security Insights Report 2021, Carbon Black
2 https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2020/
Sara Nicholson-Taylor
Director, Assurance, Trust & Risk, PwC Australia
Tel: +61 452 599 633