Hot on the heels of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, also known as the Banking Royal Commission, the Australian Prudential Regulation Authority (APRA), the independent statutory authority that supervises about 4,000 regulated organisations across banking, insurance and superannuation will expect by 1 July that all regulated entities will meet a new prudential standard aimed at combating threat of cyber attacks.
Denny Wan, chair of the Sydney Chapter for the Open Group FAIR cyber risk framework, speaking to a sold out audience of Cyber Riskers and AISA members at the NAB Auditorium in North Sydney, outlined the requirements and anatomic breakdown of Prudential Standard CPS 234 Information Security. Slide Deck available here
CPS 234, announced on November 7, 2018 (media release) requires APRA-regulated entities to:
- clearly define information-security related roles and responsibilities;
- maintain an information security capability commensurate with the size and extent of threats to their information assets;
- implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
- promptly notify APRA of material information security incidents.
Following Denny’s presentation, Shamane Tan, Cyber Security Advisor, APAC at Privasec and Cyber Risk Meetup organiser moderated a panel with Dan Barron – Cyber Security Advisory at Ernst & Young, Leslie Bell – Lecturer at Macquarie University, Wilson Chiu – Head of Security at Police Bank Ltd and Branko Ninkovic – AISA Sydney Chair/ Dragonfly Technologies. Amongst the discussion, Leslie Bell discussed survey research conducted on the use of qualitative and quantitative risk assessments and the discussion centred around how to identify what needs to be protected and meeting the “commensurate security capability” that goes with that. Dan Barron highlighted organisations shouldn’t be waiting until June 30 to do this – by 1 July they will need to know what they are defending and on that basis, know the required capability.