Every day financial services organisations deal with hundreds of thousands of indicators that could evolve into a cyber incident. According to the Australian Prudential Regulation Authority, Australian financial institutions are among cyber criminals’ top targets, and the threat is accelerating. While APRA states none of the entities that it regulates have experienced a material loss due to a cyber incident, a significant breach is “probably inevitable”.
The fact is cyber security risks are increasing for all organisations. Worryingly, APRA is concerned that some firms are neglecting basic cyber hygiene, which could lead to an increase in the risk they will be attacked.
In response to this accelerating risk, APRA has proposed its first prudential standard aimed at the threat of cyber-attacks, designed to shore up the ability of entities it regulates “to repel cyber adversaries, or respond swiftly and effectively in the event of a breach”.
The proposed standard, CPS 234, seeks to clearly define information security roles of boards, senior management, governing bodies and individuals. It would also mandate that organisations implement information security capability and controls in line with the size and extent of their information assets. The standard would also require regulated entities to have robust mechanisms in place to detect and respond to incidents in a timely manner, and notify APRA should an incident occur.
While still in a consultation phase – APRA intends to finalise the standard toward the end of the year – the announcement is a timely move. Pressures related to digital transformation, the changing cyber threat landscape, and increasing regulation are clearly mounting for organisations in Australia.
For organisations to thrive, rather than flounder, they should be thinking about how they will address the need for visibility, context, insight, and response. More importantly, there is a need for organisations to mature beyond the point where these are only considered for their new security initiatives, and instead are top of mind for all business initiatives.
Picking up on some of the common threads in APRA’s announcement, here are a few insights that may help organisations in their effort to prepare for and respond to cyber-attacks.
Understand the business context
A major opportunity for improving the security posture of many organisations is to review how vulnerabilities are handled. Many companies face thousands of vulnerabilities each week (sometimes more), and security teams do not have endless hours to remediate them – leaving a scenario where vulnerabilities are simply addressed in the order that they come in (if at all).
All too often, there is a lack of context, making it impossible to prioritise and therefore leaving the organisation exposed to significant risk for prolonged periods. This is ultimately a question of “If I’m going to invest my limited time today, where am I going to get the best return?”
The key to having greater impact with your vulnerability program is to focus your efforts on the issues that matter most to the organisation and to make sure those issues are given the right focus and the right priority.
This means establishing communication between security teams, IT teams and business management teams to identify the applications that are most critical to the organisation, that house the most sensitive data (for example, personal information, payment card data, intellectual property), or that could be used as a pathway to broader compromise.
With the right communication in place, it is then about making sure that the insights from your security investments can be connected with the insights from your business – as quickly as possible. That’s Business-Driven Security.
It’s not possible to outsource risk
Many organisations are turning to cloud and other third party services as a key enabler of their digital transformation initiatives. While these provide a great opportunity for outsourcing business process and infrastructure, the hard reality is that while you can outsource the process – you can’t outsource the risk. In fact, third parties have been a major pathway for attackers into organisations in many of the major breaches that have been reported over the last five years.
It could therefore be argued that without the right risk and compliance approach you may actually be increasing your attack surface by entering into these relationships. Outsourcing is inevitable, so organisations need to approach these initiatives with their eyes open – asking themselves what business processes and infrastructure they are outsourcing, the business context of those processes, who those relationships are with, and through the use of questionnaires and assessments, how those third parties are bolstering (and not bleeding) your security.
Have an incident response plan in place
If the last few years of data breaches have shown anything, it’s that it’s not so much the breach as it is the response that an organisation is remembered for.
To have any chance at coming out of a scenario like a data breach with at least a shred of positivity, companies need to know their level of preparedness and how they will respond – ahead of a breach occurring.
All organisations, financial institutions included, should have an incident response plan that has standard processes and procedures for when – not if – a breach occurs.
As part of this plan, organisations should have a clear view of the people that need to be involved (from IT, to legal and compliance, to PR, and the executives), to the processes that need to be executed (from gathering logs, to releasing media statements), and to the technology that will underpin these activities (from security tools, to corporate Twitter accounts).
The organisation should also be able to capture and track the tactical decisions that support their response, such as containment or remedial actions, as well as to capture information that will support “lessons learned” activities – hopefully assisting the organisation in improving their security maturity, reducing the chance of recurrence or improving the quality of response.
There is also an opportunity to consider the role that technology can play in automating these activities by bringing the right context and insights to bear, and by providing a platform for all involved to collaborate during breach events, as well as to track remedial and lessons learned activities through to closure.
Cyber threats are constantly accelerating and evolving. All organisations, especially those in the financial services sector, must view cyber security with a sense of urgency. As APRA’s Geoff Summerhayes told the Insurance Council of Australian Annual Forum: “There is absolutely no room for complacency.”
Sam O’Brien is Director, Governance, Risk & Compliance at RSA Asia-Pacific & Japan.