Finance CIOs must review security controls now

Tech chiefs working in financial services must immediately assess their current security controls to ensure they comply with cybersecurity requirements set out by the Australian Prudential Regulation Authority (APRA), says NCC Group's Joss Howard.

All APRA-regulated entities are expected to meet the new requirements for Prudential Standard CPS 234 (CPS 234) Information Security by July this year. CPS 234 requires APRA-regulated entities to clearly define information-security roles and responsibilities; maintain an information security capability commensurate with the size and extent of threats; implement controls to protect information and undertake regular testing to ensure they are effective; and promptly notify APRA of security incidents.

These requirements will increase pressure on financial services organisations in the midst of moving away from their traditional ways of doing business to new models that rely heavily on data and the creation of new digital services for customers. This will be compounded by the incoming the government’s incoming open banking regulations – which will require increased security of data, Howard, who is head of risk management and governance consulting, APAC at the information consulting firm told CIO Australia.

If CIOs see gaps, they must remediate them as soon as they can or risk being fined heavily by APRA for any security breaches, said Howard. 

She said that depending on the size of the financial organisation they work for, CIOs will have different risk appetites.

“There may be one or two team member companies that have developed a product or service and their appetite is totally different to the larger big four banks,” she said.

“A two-person team would probably take a far greater risk of doing something non-regulatory than the big four [banks] because the consequences are far greater at the big end of town.”

These smaller organisations will take the risk because they don’t understand the consequences if they’ve never been impacted by a regulatory commission or investigation, said Howard.

“On the other side you have the 'big four' CIOs, who have probably been highly audited, highly regulated over the years, so they know the consequences. Whenever [NCC] did this kind of regulatory assessment of a smaller organisation, they usually have some governance in place, but it’s often basic and barely in operation across the organisation,” she said.

From Howard’s experience, the importance of appropriate governance will increase for CIOs depending on the dollar sign at the end of the day.

“For the larger, more established financial institutions like the big four, they’re going to have all the systems and processes in place that they need to comply, and this extends to their suppliers too,” she said.

Howard recommends these six steps to begin appropriate governance: 

• Set the information security policy. Implement an information security policy sets the standard of information security governance within the business, an important first step.
• Examine the assets. Determine what information assets are in use, their purpose, who consumes that information, data flows and storage areas helps to identify the organisation’s information risk exposure.
• Classify the assets. After identifying the information assets and their location, classify the organisation’s assets (including those managed by third parties) based on criticality, sensitivity and impact to the business if compromised.
• Know the threats and understand the risks. Assess what threats could initiate a threat event and exploit a vulnerability, causing a business impact. By determining how these factors interrelate and their impact, they can be reduced by sound security controls.
• Plan what to do in the event on an information security incident. It is important that all APRA-regulated entities test their incident plans regularly and effectively, especially where the incident has identified an information breach. 
• Assess and re-assess. This ensures that the organisation complies with the prudential standard, and not fall afoul of APRA’s enforcement approach, APRA-regulated businesses should include the requirements of the CPS 234 standard in their internal audit program.