CSOs may benefit as CPS 234 tasks boards with financial-services cybersecurity

Financial institutions will be expected to exhaustively evaluate the information-security practices of strategic partners and service providers from July 1, as new CPS234 regulations take effect in a process that will light a fire under industry compliance efforts – and threaten banks with fines if they don’t stop cyberattacks.

With just days to go until the deadline, the Australian Prudential Regulatory Agency (APRA) this week responded to submissions around the Prudential Standard CPS 234 Information Security (CPS234).

“APRA expects that a regulated entity will assess the information security capability of all third parties that manage information assets on its behalf,” the regulator advised, “commensurate with the potential consequences of an information security incident affecting those assets.”

Affected entities would not be able to assume that third parties have adequate information-security practices just because they face their own industry regulations, APRA clarified.

They would also be expected to have undergone a formal classification of their information security assets as per the Prudential Practice Guide CPG 234 Information Security – a set of guidelines that lays out requirements for information-security practice for a range of corporate entities.

A corporate board must, the agency said, “clearly outline how it expects to be engaged with respect to information security, including escalation of risks, issues, and reportinghellip; in APRA’s view, effective information security reporting normally incorporates both quantitative and qualitative content.”

The new regulations’ assertions about board obligations mean that CPS 234 compliance extends well past the IT, risk, and governance fiefdoms.

“It affects the whole company and requires Board approval for the CISO and/or CIO to work effectively,” said Terry Burgess, APJ vice president with Sailpoint, who presaged growing investment in process automation to better automate governance, risk and compliance (GRC) programs.

Automation “paves the way for compliance to be easily enforced, without impacting user experience,” he said. “Moving forward, organisations should start any project by getting the Board’s buy in from the get-go, in order to maintain compliance.”

CPG 234 offers an extensive framework for regular activities including cybersecurity testing, reporting structures, response plans, and more. This may prove too late for the many financial-services companies that have already been breached – the industry has consistently been the second most-frequently breached in reports on notifications under the notifiable data breaches (NDB) scheme – but for others it provides clearer guidance on contemporary expectations around information-security practices.

Despite their improvements, however, one cybersecurity expert believes CPS 234 should have offered more guidance around red-teaming strategies – which a growing number of organisations recognise as being a prudent part of any cybersecurity defence.

CPS 234 “builds a good foundation of these controls that you should have, and the fact we are at least creating a cybersecurity specific framework for the financial services industry is a step in the right direction,” Kevin Tran, director of Trustwave’s SpiderLabs APAC, told CSO Australia.

“But it’s missing that aspect about how you can safely conduct a cyber attack against the company to see just how effective their controls are.”

Penetration testing is alluded to in CPG 234, but Tran said red-teaming is more relevant because it more closely reflects actual cybercriminal practice.

“Pen testing is a very focused and targeted exercise with a defined scope,” he explained. “The introduction of regulated red teaming, as a cyber attack simulation exercise, would be an uplift by testing that CPS234 is effective – and putting the people responsible for cybersecurity under the pump.”

Yet many financial-services companies, experts warn, may be ignoring the implications of the guidelines believing that they mainly apply to big banks – and that could lead to some tears as APRA clamps down hard on non-compliance.

Conversations with many companies in the industry have revealed that many are “generally smaller FSI players who feel that APRA may request this, but not action it for them,” said Illumio APAC VP Rob van Es. “It’s these guys that have the most to lose, especially if they’ve not had to deal with [these] compliance challenges in the past.”

Overall, however, observers believe putting the clear onus on boards will drive an important transformation in attitudes that may help CISOs better engage with senior executives on cybersecurity issues.

“The rise in high-profile data breaches and cybercrime has prompted corporate boards to pay closer attention to their organisations’ security practices,” said Tenable ANZ country manager Bede Hackney in a statement.

“With CPS 234 coming into effect, it has never been more important for banks to have visibility into all assets across their digital infrastructure, to continuously identify vulnerabilities and misconfigurations, and accurately prioritise their response to rigorously protect customer data.”