By Robert Di Pietro, Cybersecurity & Digital Trust Leader, PwC Australia
Share this article
The implementation of a modern and innovative prudential framework for Australia requires innovative thinking – and boards need to lead the charge.
The Australian Prudential Regulation Authority (APRA) recently released its anticipated consultation into the proposed cross-industry Prudential Standard CPS 230 Operational Risk Management. CPS 230 will establish minimum standards for managing operational risk, including updated requirements for business continuity and service provider management.
APRA defines “operational risk” as “the potential for financial loss or material disruption as a result of inadequate or failed internal processes or systems, the actions of people or external drivers and events, such as a pandemic or natural disaster”. Undoubtedly, cyber risks comprise a significant part of such a risk profile.
Building upon its pioneering CPS 234 Information Security standard, released in 2019, APRA is again putting boards front and centre in managing organisational risks. In a clarion call to directors on boards of APRA-regulated entities, the discussion paper states: “the Board is ultimately accountable for the oversight of operational risk management, and is expected to ensure that senior management effectively implements and maintains the framework”. One word in that sentence – “ultimately” – draws a clear line in the sand.
In relation to cybersecurity, while it is very much a here and now issue, with PwCs’ annual CEO survey finding cyber threats are the top concern for CEOs, it is also one that will be enduring. This means that while it is essential for boards to address cyber threats in the here and now, they must also take a future-facing approach. What will the cyber threat landscape look like in one year? In five years? In 10 years?
Such an approach requires agility and a new way of thinking. And while some speculation is necessary, there are also threat vectors we know are being developed and will, in due course, be deployed.
A prime example is quantum technology. It is a buzzword being bandied about board rooms all over Australia (and the world). Breakthroughs are being made every day, and Australian organisations and academics are punching above their weight in the quantum race. But quantum is a concept that can be hard to grasp.
In the most simple terms, quantum technologies, when applied in the cybersecurity domain, will effortlessly break through most of the current encryption we rely on today to protect our data. And while the technology is not there yet, ‘Q-Day’ as it is known in cyber circles, is inevitable.
So, what can boards do now to prepare for a quantum world?
It is vital boards are aware of new and emerging threat vectors. One key trend all boards should be well-briefed on is the development of the ‘harvest now, decrypt later’ (HNDL) approach to data theft.
It is a sobering reality that right now, vast quantities of personal and corporate data are being targeted and and stored away by malicious cyber actors, awaiting for Q-Day. When that day comes, quantum computers will be powerful enough to decrypt and access this data in seconds. The privacy of sensitive information will become obsolete in an instant.
The good news is that there are ways to build resilience against these types of quantum-enabled harvesting attacks. Quantum-safe encryption algorithms are being developed that will build resilience in the future age of quantum computers.
In what represents a major step-up in the quantum battle, and a signal that organisations need to prepare, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) recently announced it had selected four post-quantum algorithms to become part of its post-quantum cryptographic standard. This is expected to finalised within two years.
The Australian Signals Directorate (ASD) cautiously welcomed NIST’s announcement. Importantly, it encouraged Australian organisations to anticipate future requirements and dependencies of vulnerable systems during the transition to post-quantum standards.
Another example of an emerging technology that boards should be aware of is quantum key distribution (QKD). It provides a secure way of sharing encryption keys using the properties of quantum mechanics and is designed so any ‘eavesdropping’ attempt, essentially destroying the information the attacker was attempting to steal.
QKD is proven to be information-theoretic secure, meaning the protocol cannot be broken even by an adversary with unlimited processing power. Put simply, QKD prevents data being compromised by even the most motivated adversary.
We know cybersecurity is an issue that keeps company directors up at night. And over the past several years, we’ve seen how devastating cyber attacks can be not only for business continuity, but also for reputation. That’s why preparation is key.
CPS 230 is the latest piece of regulation in a growing list designed to lift the security of Australian organisations and, ultimately, Australia’s national security. It comes on the heels of a major overhaul of Australia’s critical infrastructure regime, which encourages an all-hazards approach to risk, with cyber a key element of broader resilience.
In the cyber world, knowledge is power and directors have to bring inquiring minds to the table. It is completely reasonable and vitally essential to ask questions and demand adequate answers, even if concerns - like the emergence of quantum technologies - seem like a problem for the future.
Robert Di Pietro
Cybersecurity & Digital Trust Leader, PwC Australia
Tel: +61 418 533 346