APRA Member Geoff Summerhayes - Speech to CyBSA 2019 Cyber Breach Simulation Australia

Once more unto the (assumed) breach

Good afternoon.

I’d like to start by congratulating the Trans-Tasman Business Circle and the Optus Macquarie University Cyber Security Hub for organising today’s event, which I believe is one of the first of its kind in Australia.

I also commend the organisations taking part for having the foresight to do so. Having been involved in my share of crisis simulations over the years, I know they are challenging and can be quite stressful – which, of course, is the point of the exercise. The fact that you have voluntarily paid money to allow yourselves to be assailed by hypothetical cyber-adversaries is a clear indication that you appreciate the need to be ready to respond rapidly and effectively when your organisation’s information security defences are breached.

I say “when”, rather than “if” quite intentionally; not out of pessimism about the scale of the cyber threat, nor scepticism about your organisation’s IT capabilities, but because of APRA’s belief in the importance of organisations adopting an “assumed breach” mentality. In essence, it means acting on the basis that your information security defences will, at some point, be compromised by a cyber-adversary, and having the systems and experienced personnel available to repel the attack, re-secure the network and rectify any damage.

In March last year I delivered a speech on cyber, which I described as an “accelerating risk”. My point was that cyber-risk is far from new, but the level of threat it poses, and the extent to which business has become exposed to that threat, has drastically escalated over recent years. No evidence has emerged since then to suggest that cyber risk is slowing down, with Australia’s Director-General of Security, Duncan Lewis, recently listing cyber as one of his top three concerns, alongside espionage and terrorism^[1].

To date, no APRA-regulated entity has experienced a breach material enough to threaten its viability, but I can assure you it’s not for want of trying. We’ve warned repeatedly that it’s only a matter of time until an Australian bank, insurer or superannuation licensee suffers a significant breach that, in a worst case scenario, could force it out of business. Recent media coverage of the theft of nearly $2 million from Australian superannuation funds and share trading accounts by a group of online hackers was a timely reminder that there is no room for complacency as cyber-adversaries, regrettably sometimes backed by governments, grow in number and sophistication.

In response to this accelerating risk, APRA has also had to ratchet up its response and increase its capabilities. Our first prudential standard on information security came into force on 1 July this year, while just weeks ago our updated Corporate Plan elevated the improvement of cyber resilience across the financial system to one of our top four strategic priorities.

Although many of you here today aren’t subject to APRA-regulation, you all have bank accounts. You all rely on the protection of insurance. You all have your retirement savings invested in superannuation.  Consequently, APRA’s efforts to shore up the cyber resilience of the entities we regulate matter greatly, not only to you, but to all Australians. For that reason, I want to share some insights today on the progress the industry is making in responding APRA’s stronger prudential framework around cyber, and how our greater strategic focus in this area will shape our future approach to this evolving threat.

Under siege

One of the requirements of APRA’s information security prudential standard, CPS 234 Information Security, is for regulated entities to notify APRA promptly once they become aware of any material information security incidents or material information security control weaknesses. This requirement has already helped to provide us with additional insights into the scale and nature of the threats our regulated entities are facing.

In the four months since CPS 234 came into force, APRA has received 36 incident notifications. Many of those were data breaches involving the disclosure of personal information as a result of human error (such as “accidental’ disclosure where an employee emailed a spreadsheet externally which included customer information). Others, more ominously, involved a compromise of staff or customer credentials resulting in the unauthorised manipulation of records, website defacement and fraud. It’s important to note that APRA’s regulated flock would have been subject to vastly more attempted cyber-attacks; these are just the ones that succeeded – and that we know about. With some cyber-incidents taking years to detect, it’s entirely possible that one of the banks, insurers or super funds has been compromised and we simply don’t know about it.

Room for improvement

The number of incidents – most relatively minor – from a reporting population of almost 600 entities isn’t cause for undue alarm, and it supports APRA’s belief that the financial sector broadly handles information security incidents well. However, as part of our normal supervisory activities we have also observed areas of common weakness, many of which APRA has called out repeatedly, including in our updated industry guidance, CPG 234.

For example, we have identified basic cyber hygiene as an ongoing area of concern. This includes having systems for which the vendor is no longer providing support or security updates. The lack of a comprehensive security patching regime and poor access management practices are also common. Some institutions still haven’t developed a complete inventory of their information assets within their IT real estate or put in place effective oversight where part of that real estate is managed by third parties. This includes both cloud based services and traditional support arrangements, all captured by CPS 234. You cannot secure what you don’t understand and you are only as strong as your weakest link. 

The new prudential standard requires regulated entities to assess and gain assurance regarding the information security capability of third parties that manage information assets on their behalf. Some entities have responded to APRA’s requirements with a very “hands-on” approach that may require some level of on-site inspection of third parties’ premises and regular service provider reports around their information security practices^[2]. We’ll leave it to organisations to determine what approach is commensurate with the impact of a security compromise. However, it is not good enough to rely solely on certifications or other forms of assurance provided by third parties without considering the sufficiency of the assurance these provide in satisfying the requirements of CPS 234. This is even more important in light of evidence that cyber-adversaries are increasingly targeting third party vulnerabilities to carry out attacks. We’ll have more to say about service provider management more broadly as we review our existing standard around outsourcing, CPS 231.

How organisations control privileged access to their systems is also troubling. Handing over the “keys to the kingdom” and allowing access to information and systems without tight controls around who exactly has them can only increase an organisation’s exposure to attack. An essential cyber security principle is to ensure personnel are granted the minimum access required for their duties^[3]. Controls such as multi-factor authentication for users when they perform a privileged action (including accessing an important data repository) should also be the norm not the exception^[4], providing an important safeguard against credential theft.

In short, there is room for improvement in the industry. As further evidence, in a recent survey over 70 per cent of APRA regulated entities self-assessed CPS 234 compliance gaps. APRA will monitor progress in this area closely, seeking an independent assessment of CPS 234 compliance in due course.

A tougher approach

APRA’s role in this process is to ensure regulated institutions are resilient to cyber-attacks through prevention, detection and response capabilities. We’ll be increasingly challenging entities in this area by utilising data driven insights to prioritise and tailor our supervisory activities. In the longer term, we’ll use this information to inform baseline metrics against which APRA regulated institutions will be benchmarked and held to account for maintaining their cyber defences. We’ve set the floor with CPS 234 and will be enforcing these legally-binding minimum standards in a “constructively tough” manner.

APRA is also bolstering its ability to assess the cyber resilience of the institutions we regulate by improving our own organisational capacity and turning to third party expertise for deeper assessments where we think it’s necessary. We’ll improve our cyber incident response capabilities to support institutions to recover from an incident as well as ensure our ability to enact the Financial Claims Scheme is not compromised.

We’re strengthening our alliances with peer regulators to boost our ability to assess the cyber resilience of regulated institutions. This includes executing the work plan of the Council of Financial Regulators’ Cyber Security Working Group, and engaging with the Federal Government as it consults on the development of the next national cyber security strategy to ensure the best response to this evolving threat.

The fog of war

APRA has previously observed that the unprecedented strength of the Australian economy over the past quarter century creates a degree of vulnerability, because it’s been so long since anyone had to deal with a serious downturn. In the same way, very few Australian businesses, certainly among APRA’s regulated entities, have experience responding to a major cyber security breach. This seeming positive creates the risk that companies may not be adequately prepared to respond as the “fog of war” descends during a real world attack.

To develop this level of ‘muscle memory’, organisations should be engaging their teams in tabletop exercises like the one we’ve participated in today. Doing so will help to ensure education and management plans are moulded around well-rehearsed responses to potential attacks, remain fit for purpose, and are tested at least annually, as required by CPS 234. Adopting an “assumed breach” mentality requires relentless preparation, with a focus on building resilience to attacks through detection and response capability rather than relying solely on preventative measures. Our cyber adversaries are creative, imaginative and agile. Our defence against them needs to be the same.