Australia's New Infosec Regulation: A Compliance ChallengeCrunch Time as Deadline Approaches for CPS 234
Health insurers and financial institutions across Australia are in the final stretch of preparing for a cybersecurity regulation that looks to put companies on a strong footing in an increasingly hostile hacking environment.
The regulation, which goes into effect July 1, comes from the Australian Prudential Regulation Authority. APRA oversees credit unions, health insurers and companies that manage retirement funds, which in Australia are referred to as superannuation.
Called CPS 234, the regulation aims to ensure organizations have the capability to evaluate risk, apply appropriate controls and deal with security incidents. It also puts in place new reporting and testing requirements and responsibilities for data that's managed by third parties or outsourcers.
APRA, which usually doesn't usually grant media interviews, tells Information Security Media Group: "Unfortunately, it is only a matter of time until a significant cyber breach occurs at an Australian financial institution. By introducing a new standard, and updated prudential guidance, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold and the significance of the threats they face."
Cybersecurity standards and regulations are often criticized as being box-ticking exercises. But CPS 234 is a capability and principle-based regulation. As a result, it leaves much for organizations to decide themselves, says Anthony Robinson, cyber security financial services partner at the consultancy EY.
"That's good and it's bad," Robinson says. "It's good in a sense that they're really requiring businesses to form their own judgments on risk based around their own risk tolerances. It's bad in the sense that they've then got to actively make some of those decisions themselves and work out what's important to them and what's not."
It also increases the accountability of company boards. Under the regulation, the boards of APRA-regulated entities are ultimately responsible for security issues, and companies need to have clear lines of responsibility.
What Data Is Important?
Rather than dictate the controls that should be applied to data, organizations need to do that themselves. APRA requires sets of security controls that are commensurate with the sensitivity of the data. Those decisions have to be defensible to APRA, which can then decide if an organization is compliant.
It's challenging because it requires companies to evaluate and classify the data they hold, as well as data handled by their partners. There's also the task of dealing with unstructured data, which may need protection.
Militaries have always had classifications around data, but there's not quite the same application in the private sector, says Joss Howard, head of risk management and governance consulting in APAC for NCC Group.
Howard says one of the exercises she does with clients is assign a business impact weighting to data related to if it were leaked. "If you haven't got a label on it [the data], well how do you know what the impact of it is going to be on your operations?" she asks.
APRA also advises that information assets that on the face of it may not be as critical as other data still "could provide the mechanism by which an attacker could compromise information assets with higher levels of criticality or sensitivity."
APRA also mandates that controls be tested with a regularity determined by how important the data is and how frequently the technology around it changes.
Third Parties and Reporting
One of the most contentious areas as APRA was developing CPS 234 was notifications. Companies are required to report "material" control weaknesses and security incidents.
Within 72 hours or sooner, companies should report security incidents that either materially affect or could affect their depositors or shareholders, according to the regulation. Also, if a company learns of a material information security control weakness, it should be reported within 10 days if it can't be remediated quickly.
"If you have to evaluate hundreds of third parties at scale, how do you do that?"
— Tommy Viljoen, Deloitte
So what's material? It's an area open for interpretation and gut feeling, but there are some clear bounds. For example, if a company has reported an incident in another jurisdiction, APRA expects it to be reported here as well.
The reporting requirements also apply to third parties that handle a company's data. This was one of the most discussed areas as APRA was drafting CPS 234. Large financial services companies and insurers may have hundreds of third parties that touch their data.
APRA's view: All data handled by suppliers falls under CPS 234 and needs to be assessed.
"That's a massive change," says Tommy Viljoen, national lead partner, cyber risk service strategy and governance with the consultancy Deloitte. "If you have to evaluate hundreds of third parties at scale, how do you do that?"
Top financial institutions have had programs in place to evaluate third-party risk, but even those efforts didn't trickle down to all of their lesser-risk service providers, Viljoen says.
Because of the concerns around compliance, APRA extended the deadline for dealing with third-party data. Organizations now have until either July 1, 2020, or their next contract renewal data - whichever comes first - to ensure third parties are CPS 234 compliant.
In the meantime, companies need to create a tiering model for their suppliers: What are their critical information assets and which suppliers are responsible for executing the controls? "It's about focus, structure and discipline," Robinson says.
There's been activity worldwide for more than a decade aimed at improving cybersecurity readiness, breach readiness and reporting. CPS 234 crisscrosses some of those, which is why compliance may be easier for larger organizations with international operations.
"Many companies are reviewing and using regulations and guidelines such as CPS 234, GDPR and SOX as the catalyst and center of their digital transformation projects," says Terry Burgess, vice president of APJ with SailPoint.
Howard of NCC Group says she and her colleagues consult on some 60 standards, ranging from HIPPA in the U.S. to the GDPR in Europe to California's new data protection law. Many have overlapping requirements (see California's New Privacy Law: It's Almost GDPR in the US).
"If you are doing these certain frameworks, you can map it back to a number of other frameworks," she says.
"Unfortunately, it is only a matter of time until a significant cyber breach occurs at an Australian financial institution."
— Australian Prudential Regulation Authority
But CPS 234 falls short in one area - attack simulations, says Kevin Tran, director of Trustwave's SpiderLabs in APAC. Those kinds of exercises help uplift the capabilities of companies, he says.
"Having that kind of drill where you really stress test people, process and technology and make them experience what they perceive would be a real attack would probably be a good way of tying it all together," he says.
Authorities elsewhere have introduced those requirements, including the Hong Kong Monetary Authority's iCAST framework and Adversarial Attack Simulation Exercises by Singapore's Association of Banks, Tran says. Those initiatives were influenced by the Bank of England's CBEST tests, which include penetration testing and red teaming.
"It's disappointing that we're not quite there yet," he says.
The deadline for compliance is July 1, but Viljoen says its unlikely that any organization will be able to say by then that they're fully compliant.
Robinson of EY points out that companies can have, for example, control weaknesses on July 1 as long they have a plan to be compliant with a period of time.
"That's the bit everyone is sort of struggling through," Robinson says. "Compliance doesn't mean on the first of July that you have no control weaknesses. It's unrealistic in major businesses for that to be the case. And I think it's unrealistic of APRA to have an expectation of that and I don't think they do."
But organizations will need to move swiftly to show APRA they're on top of it. Overall, stepping up Australia's cybersecurity stance is a move in the right direction, particularly with the 72-hour notification requirement, control testing and greater board responsibility, says Carlo Minassian, founder of Sydney-based cybersecurity company LMNTRIX.
"Most APRA-certified entities are in the same boat as everyone else," Minassian says. "They spend lots of money on cybersecurity and meeting compliance standards, but their ability to detect and response to a threat is nominal or rudimentary at best."