Financial institutions will be expected to exhaustively evaluate the information-security practices of strategic partners and service providers from July 1, as new CPS234 regulations take effect in a process that will light a fire under industry compliance efforts \u2013 and threaten banks with fines if they don\u2019t stop cyberattacks.With just days to go until the deadline, the Australian Prudential Regulatory Agency (APRA) this week responded to submissions around the Prudential Standard CPS 234 Information Security (CPS234).\u201cAPRA expects that a regulated entity will assess the information security capability of all third parties that manage information assets on its behalf,\u201d the regulator advised, \u201ccommensurate with the potential consequences of an information security incident affecting those assets.\u201dAffected entities would not be able to assume that third parties have adequate information-security practices just because they face their own industry regulations, APRA clarified.They would also be expected to have undergone a formal classification of their information security assets as per the Prudential Practice Guide CPG 234 Information Security \u2013 a set of guidelines that lays out requirements for information-security practice for a range of corporate entities.A corporate board must, the agency said, \u201cclearly outline how it expects to be engaged with respect to information security, including escalation of risks, issues, and reportinghellip; in APRA\u2019s view, effective information security reporting normally incorporates both quantitative and qualitative content.\u201dThe new regulations\u2019 assertions about board obligations mean that CPS 234 compliance extends well past the IT, risk, and governance fiefdoms.\u201cIt affects the whole company and requires Board approval for the CISO and\/or CIO to work effectively,\u201d said Terry Burgess, APJ vice president with Sailpoint, who presaged growing investment in process automation to better automate governance, risk and compliance (GRC) programs.Automation \u201cpaves the way for compliance to be easily enforced, without impacting user experience,\u201d he said. \u201cMoving forward, organisations should start any project by getting the Board\u2019s buy in from the get-go, in order to maintain compliance.\u201dCPG 234 offers an extensive framework for regular activities including cybersecurity testing, reporting structures, response plans, and more. This may prove too late for the many financial-services companies that have already been breached \u2013 the industry has consistently been the second most-frequently breached in reports on notifications under the notifiable data breaches (NDB) scheme \u2013 but for others it provides clearer guidance on contemporary expectations around information-security practices.Despite their improvements, however, one cybersecurity expert believes CPS 234 should have offered more guidance around red-teaming strategies \u2013 which a growing number of organisations recognise as being a prudent part of any cybersecurity defence.CPS 234 \u201cbuilds a good foundation of these controls that you should have, and the fact we are at least creating a cybersecurity specific framework for the financial services industry is a step in the right direction,\u201d Kevin Tran, director of Trustwave\u2019s SpiderLabs APAC, told CSO Australia.\u201cBut it\u2019s missing that aspect about how you can safely conduct a cyber attack against the company to see just how effective their controls are.\u201dPenetration testing is alluded to in CPG 234, but Tran said red-teaming is more relevant because it more closely reflects actual cybercriminal practice.\u201cPen testing is a very focused and targeted exercise with a defined scope,\u201d he explained. \u201cThe introduction of regulated red teaming, as a cyber attack simulation exercise, would be an uplift by testing that CPS234 is effective \u2013 and putting the people responsible for cybersecurity under the pump.\u201dYet many financial-services companies, experts warn, may be ignoring the implications of the guidelines believing that they mainly apply to big banks \u2013 and that could lead to some tears as APRA clamps down hard on non-compliance.Conversations with many companies in the industry have revealed that many are \u201cgenerally smaller FSI players who feel that APRA may request this, but not action it for them,\u201d said Illumio APAC VP Rob van Es. \u201cIt's these guys that have the most to lose, especially if they've not had to deal with [these] compliance challenges in the past.\u201dOverall, however, observers believe putting the clear onus on boards will drive an important transformation in attitudes that may help CISOs better engage with senior executives on cybersecurity issues."The rise in high-profile data breaches and cybercrime has prompted corporate boards to pay closer attention to their organisations' security practices,\u201d said Tenable ANZ country manager Bede Hackney in a statement.\u201cWith CPS 234 coming into effect, it has never been more important for banks to have visibility into all assets across their digital infrastructure, to continuously identify vulnerabilities and misconfigurations, and accurately prioritise their response to rigorously protect customer data."