Cyber security stocktake exposes gaps
Some of the world’s largest brands have fallen victim to major data breaches in recent years. Rates of cybercrime have increased and criminal attacks have become more sophisticated. Australia has not been immune; recent, well-publicised cyberattacks are among the largest in the country’s corporate history. Early findings from an expansive APRA study on cyber resilience in financial services show there is a need to raise the bar. With the risk cyberattacks pose to institutions and the Australian community, APRA is rigorously targeting areas of non-compliance.
By the end of this year, more than 300 banks, insurers and superannuation trustees will have participated in an independent tripartite cyber assessment – the largest study of its kind to be conducted by APRA. The assessment required APRA’s regulated entities to appoint an independent auditor to assess their compliance with prudential standard CPS 234 Information Security (CPS 234).
The purpose of the standard is to ensure that regulated entities have baseline prevention, detection and response capability to withstand cyber security threats.
The decision to undertake the CPS 234 tripartite assessment sits as part of APRA’s 2020–2024 Cyber Security Strategy, starting with a small pilot that was completed in mid-2021. Like the pilot, results from this first tranche of assessments highlight several concerning gaps across the industry.
Where gaps are identified and breach reporting is undertaken, APRA intensifies its supervisory oversight. This helps to ensure entities remediate cyber resilience deficiencies and meet their CPS 234 obligations.
Summary of first round of findings
Around a quarter of APRA’s regulated entities (~24%) were assessed in the first tranche of CPS 234 assessments. The most common control gaps identified in this tranche were:
- incomplete identification and classification for critical and sensitive information assets;
- limited assessment of third-party information security capability;
- inadequate definition and execution of control testing programs;
- incident response plans not regularly reviewed or tested;
- limited internal audit review of information security controls; and
- inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.
Gap 1: Identification and classification of information assets
Information assets including software, hardware and data (both hard and soft copy) carry significant value and risk. APRA has observed varying levels of maturity across industries regarding identifying and classifying information assets. Without proper identification and classification, it can be difficult for entities to determine the appropriate information security controls to protect critical and sensitive data from unauthorised access or disclosure.
Common gaps include:
- information asset classification policies and methodologies are not fully established and do not clearly define the criteria of what assets should be considered critical and/or sensitive;
- information in asset registers is not reviewed and updated regularly by asset owners, as required by entities’ own policies, leading to incomplete and inaccurate information; and
- information assets managed by third parties are not fully identified and classified and, in some cases, not identified at all.
To address these gaps, entities would benefit from:
- considering the potential impact of a security compromise on the asset when defining asset classification policies and criteria
- utilising an information asset inventory repository such as a configuration management database (CMDB) to facilitate asset registration and mapping of interrelationships; and
- ensuring the information asset inherits the highest criticality and sensitivity ratings of its constituent components.
Gap 2: Information security controls of third parties
Achieving sufficient assurance of information security controls operated by third-party service providers is a common challenge. This is a concern as more and more entities are relying on service providers to manage critical systems.
Common gaps include:
- information security control assessment plans for third parties have limited scope, or in some cases, do not exist;
- control design and operating effectiveness are often based on the third party’s self-assessment only, without verification through additional independent testing;
- control testing evidence is not being retained to substantiate test conclusions; and
- the nature and frequency of testing is not aligned to the criticality and sensitivity of information assets managed by third parties.
To address these gaps, an entity would typically:
- understand which information assets are managed by third parties and use this to determine the level of rigour required in testing;
- understand the controls that the third parties have in place;
- test third party control effectiveness through a combination of interviews, surveys, control testing, certifications, contractual reviews, attestations, referrals and independent assurance assessments; and
- ensure any capability gaps identified are addressed in a timely manner.
Gap 3: Control testing programs
An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. Findings from the first tranche have shown that, in many cases, the testing programs of entities are incomplete, inconsistent, lack independence and do not provide adequate assurance for management and the Board.
Common gaps include:
- information control assurance programs and plans are not in place or have inadequate coverage of key controls, such as:
o user access reviews
o physical security control tests
o data loss prevention controls;
- the nature and frequency of the testing is often not commensurate with the criticality and sensitivity of information assets;
- testing is not performed by functionally independent testers;
- testing procedures and success criteria lack consistency; and
- evidence evaluated to determine the effectiveness of information security controls is not retained.
To address these gaps, an entity would typically:
- adopt a variety of testing approaches (see Appendix G of CPG 234),
- define clear success criteria (including when re-testing is required); and
- conduct testing by appropriately skilled and functionally independent specialists who do not have operational responsibility for the controls being validated.
Gap 4: Incident response plans
An APRA-regulated entity must maintain plans to respond to information security incidents that the entity considers could plausibly occur. From the assessments, information security incident response plans were found to be incomplete, lack regular testing and review.
Common gaps include:
- incident response plans are not in place, not reviewed and / or not tested regularly;
- incident management policy and process do not clearly define the roles and responsibilities of third parties; and
- incident response playbooks have limited plausible disruption scenarios.
To address these gaps, entities must ensure their incident response plans (including those operated by third parties) are tested at least annually to ensure they remain fit-for-purpose.
These plans would:
- cover a broad range of plausible disruption scenarios, including:
o malware infection (including ransomware);
o data breach;
o compromise of staff or customer credentials;
o denial-of-service attacks;
o hack of an internet-facing platform;
o website defacement
o compromise by an advanced persistent threat; and
- have sufficient details to help minimise the amount of decision-making required and provide clarity regarding roles and responsibilities during an information security incident.
Gap 5: Internal audit reviews of information security controls
An APRA-regulated entity’s internal audit activities must include a review of the effectiveness of information security controls, including those maintained by third parties. Findings from the assessment indicate that internal audit assessment of third-party information security controls is limited across the industry.
Common gaps include:
- limited review of third party-operated information security controls by internal audit; and
- in some cases, internal auditors performing control testing lack the necessary information security skills.
To address these gaps, entities’ internal audit teams would:
- target audit areas where the impact of an information security compromise is material and the ability to place reliance on other control testing undertaken is low;
- review the scope and quality of the testing conducted by other areas and third parties to determine how much reliance can be placed upon it; and
- report any material deficiencies identified or the absence of any assurance to the Board.
Gap 6: Notification of material incidents and control weaknesses
APRA must be notified of material incidents and control weaknesses in every entity’s cyber security system. The assessment has found that the process to identify and define these for reporting to APRA is often inconsistent, unclear and, in some cases, not in place at all.
Common gaps include:
- APRA notification requirements are not included in entity policy;
- contracts with critical third parties do not contain the requirement to report material incidents and control weaknesses to APRA;
- criteria to identify material and reportable incidents and control weakness are not clearly defined; and
- the process to ensure timely reporting is not established or not enforced.
Entities must identify and report material information security incident and control weaknesses to APRA, and would benefit from:
- having clear governance processes for escalating incidents and control weaknesses to relevant governance bodies and notify APRA in a timely manner; and
- utilising various mechanisms to identify material control weaknesses, including control testing, assurance activities, information security incidents, vulnerability notification by software and hardware vendors, and other forms of notification by third parties and related parties.
Looking ahead
Entities are currently participating in the second and third tranches of APRA’s assessment, and the fourth and final tranche is expected to be rolled out later in the year.
APRA encourages every entity to review those common weaknesses outlined above, along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies.
APRA will continue to work with those entities that do not sufficiently meet CPS234 requirements, and will further engage with the industry to lift the benchmark for cyber resilience across the Australian financial services industry.
Where necessary, APRA will write to industry to advise of and to promote a specific response like we did recently with multi-factor authentication. Multi-factor authentication (MFA) is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information. APRA has recently provided additional information to regulated entities regarding the utility of MFA in preventing cyber breaches and reminding them of their requirements under CPS 234 and its accompanying guide, CPG 234.
Disclaimer
This article shares APRA’s general observations following this recent study. The information included is not intended as policy. CPS 234 Information Security (CPS 234) remains the prudential standard to which APRA’s regulated entities should refer in order to meet their compliance obligations.
Media enquiries
Contact APRA Media Unit, on +61 2 9210 3636
All other enquiries
For more information contact APRA on 1300 558 849.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.