Scores of Australian companies/entities have fallen victim to the machinations of cyber criminals in recent years. The rates of data breaches have risen phenomenally, and every stakeholder, notably the consumer, has become wary of the existing cybersecurity measures taken by companies. The spate of cyber attacks has prompted APRA, the Australian Prudential Regulation Authority, an independent regulatory body in Australia, to conduct an expansive study on cyber resilience in financial services.
The findings were stark indeed, with most companies or entities found to have areas of non-compliance. APRA, on its part, is targeting areas of non-compliance by conducting a tripartite cyber assessment involving 300 banks, superannuation trustees, and insurers. The assessment required each entity to appoint an independent auditor to assess compliance with prudential standard CP 234 Information Security.
The auditors were tasked with responsibilities that are usually done by the essential eight security auditors at Cybernetic Cyber Intelligence, a global cybersecurity company based in Australia. The standard aims at ensuring regulated entities have baseline prevention, detection, and responsiveness to thwart cybersecurity threats. The first tranche of this assessment highlighted several gaps across the industry.
Findings of the Cybersecurity Assessment
The first tranche of the CPS 234 assessment found the below-mentioned gaps:
- Incomplete classification and identification of sensitive information
- Limited assessment of the capability to ensure third-party information security
- Inadequate execution of control testing programmes
- Irregular testing or review of incident response plans
- Inconsistent reporting of control weaknesses and material incidents
Gap 1: Identification and classification of information assets
There are significant risks associated with information assets, including software, hardware and data. However, there are varying levels of maturity across industries when it comes to identifying and categorising these assets. This lack of proper identification and classification, according to Ravin Prasad, CEO of Cybernetic Global Intelligence, a global accredited cybersecurity organisation, poses challenges for entities. These relate to protecting critical data from unauthorised access using relevant information security measures.
Some common gaps include:
- Inadequate establishment of policies and methodologies for classifying information assets, which results in a lack of clear criteria for determining the criticality and sensitivity of assets.
- Failure to regularly review and update information in asset registers by asset owners, as required by entities’ own policies. This leads to incomplete and inaccurate information about the assets.
- Insufficient identification and classification of information assets managed by third parties, and in some cases, a complete lack of identification.
Gap 2: Information security control of third parties
Ensuring adequate assurance of information security controls implemented by third-party service providers is a widespread challenge. It is a growing concern due to the increasing reliance of organisations on these providers to oversee crucial systems.
Key issues include:
- Limited or nonexistent scope of information security control assessment plans for third parties.
- Reliance on self-assessment by the third party without independent verification through additional testing.
- Failure to retain evidence of control testing, making it difficult to substantiate test conclusions.
- Inadequate alignment of the nature and frequency of testing with the criticality and sensitivity of the information assets managed by third parties.
Gap 3: Control testing programmes
An APRA-regulated entity is required to conduct a comprehensive testing programme to assess the effectiveness of its information security controls. However, initial findings have revealed several shortcomings in the testing programmes of these entities. These deficiencies include incompleteness, inconsistency, a lack of independence, and insufficient assurance for management and the Board.
The identified gaps are as follows:
Absence or inadequate coverage of key controls in information control assurance programmes and plans, including:
- User-access reviews
- Physical security control tests
- Data loss prevention controls
- Insufficient alignment between the nature and frequency of testing and the criticality and sensitivity of information assets.
- Lack of functional independence among the testers responsible for conducting the testing.
- Inconsistency in testing procedures and criteria for determining success.
- Failure to retain evidence that would allow evaluation of the effectiveness of information security controls.
Gap 4: Plans for incident response
An APRA-regulated entity is required to have robust plans in place to address potential information security incidents. However, assessments have revealed that the information security incident response plans of these entities often exhibit deficiencies, such as incompleteness and a lack of regular testing and review.
The common gaps identified are as follows:
- Absence of incident response plans or failure to regularly review and test existing plans.
- Lack of clarity in the incident management policy and process regarding the roles and responsibilities of third parties.
- Limited coverage of plausible disruption scenarios in the incident response playbooks.
Gap 5: Review of information security controls
An APRA-regulated entity is required to incorporate a review of information security controls, including those maintained by third parties, into its internal audit activities. However, the assessment reveals that the evaluation of third-party information security controls by internal audit is significantly lacking throughout the industry.
The common gaps identified are as follows:
- Limited scrutiny of information security controls operated by third parties by internal audit.
- In certain instances, internal auditors conducting control testing lack the essential information security expertise.
Gap 6: Notification of control weaknesses
Entities are obligated to inform APRA about significant incidents and control vulnerabilities within their cyber security systems. However, the assessment indicates that the process of identifying and defining such incidents for reporting to APRA is frequently inconsistent, unclear, or entirely absent.
The common gaps identified are as follows:
- Entity policies do not include the requirements for APRA notification.
- Contracts with critical third parties lack the stipulation to report material incidents and control weaknesses to APRA.
- The criteria to identify material and reportable incidents and control weaknesses are not clearly defined.
- There is a lack of established or enforced processes to ensure timely reporting.
Conclusion
Companies and entities are participating in the subsequent tranches of the APRA assessment. It is important for them to review the weaknesses mentioned above, followed by incorporating relevant strategies to address them. For instance, there are cyber security companies like Cybernetic Global Intelligence that can help companies or entities comply with the APRA prudential standard CPS 234 on information security. For details, call 1300 292 736 or send an email to Contact@cybernetic-gi.com.