How should your organisation maintain resilience to cyber threats

Organisations must maintain a posture of continuous resilience to prepare for and adapt to the changing cyber threat landscape - are you prepared?

APRA has released the updated Prudential Practice Guide CPG 234 Information Security ( CPG) to assist organisations to comply with Prudential Standard CPS 234 Information Security ( CPS 234) which commenced on 1 July 2019. CPG provides insights into how APRA views cybersecurity threats and how the regulator will likely enforce obligations under CPS 234 for regulated entities.

It is evident that the threat landscape has changed considerably and could significantly impact financial institutions an APRA Executive Board Member Geoff Summerhayes has stated:

“Cyber-adversaries are targeting Australia's banks, insurers and superannuation licensees with growing frequency and sophistication. ..It is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we've seen overseas, so they must be prepared.” ¹

CPS 234 does not restrict the delegation of information security roles and responsibilities, however, the board has ultimate responsibility. In recognition of this, it is likely that should board members not actively question management to ensure compliance to the standards they will be held accountable, leading to potential implications for their insurance such as Directors & Officers insurance policies.

Management should work closely with their risk and compliance functions to ensure policies and reporting processes are established and that they align with the requirements of CPS 234. Regulated entities that typically rely heavily on external providers for services will need to ensure current and future third party arrangements meet the requirements of CPS 234.

Once aligned to CPS 234, all internal governance functions, in conjunction with legal and procurement, will need to ensure controls are tested regularly. This testing should extend to cover security due diligence and audits of third parties prior to contracting. Any issues highlighted by this audit process should be rectified as soon as practical to maintain compliance with the CPS 234. 

Under the CPG obligations, all information held by the organisation including software, hardware or data (both tangible and intangible) will be subject to the CPS 234 and CPG 234.  Given this, organisations should consider having a comprehensive data classification policy in place, to ensure they have a full understanding of their information assets. 

There are strict reporting requirements and APRA will need to be notified as soon as practical but no later than 72hrs after becoming aware of a material incident. In the event, the organisation notices security control weakness then the organisation must notify APRA within 10 business days. It is important for organisations to note these requirements are in addition to any other notification requirement such as the notifiable data breach scheme or GDPR.

In order for your organisation to be prepared for and adapt to the changing threat landscape, and critically, to recover from disruptive attacks, consideration should be given to the following:

• Do you know what cyber security risks your organisation is exposed to? – determine strengths and weakness within existing controls to determine whether they are appropriate to protect, recover and respond to relevant threats.
• Have you classified your data? – not only should your organisation understand all information assets, but the information classifications should be reviewed at least annually.
• Continually update and test incident response and disaster recovery plans –ensure that the procedures in place are updated with all requirements to notify an incident, and regularly test these procedures to ensure they work practically.
• Staff awareness training – given many incidents are occurring as a result of human error it is important that your organisation conducts regular training for staff on cyber security and implement training as part of the on boarding process².

Marsh’s Cyber team has developed a range of risk assessment and quantification tools to help clients identify, manage and transfer the risk associated with various cyber events. Please contact a member of the Marsh Cyber team or your servicing broker for further information. 

This document and any recommendations, analysis, or advice provided by Marsh (collectively, the ‘Marsh Analysis’) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) arrange the insurance and is not the insurer. This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent. Any statements concerning legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as legal advice, for which you should consult your own professional advisors. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA No. 19/069..

¹ https://www.apra.gov.au/media-centre/media-releases/apra-finalises-updated-guidance-information-security

² https://www.allens.com.au/insights-news/insights/2019/06/final-apra-guidance-on-information-security-released-are-you-prepared