APRA received 36 infosec breach notifications from financial services boards

The regulator said there is room for improvement in the Australian industry.

The Australian Prudential Regulation Authority (APRA) has received 36 incident notifications from boards of financial services firms in the four months since its new security reporting standard came into play.

The CPS-234 Information Security standard requires boards of APRA-regulated entities to be responsible for ensuring that the entity maintains its information security.

Under the requirement, regulated entities are to notify APRA as soon as possible and, in any case, no later than 72 hours, after they become aware of an information security incident.

APRA executive board member Geoff Summerhayes told the Cyber Breach Simulation Australia (CyBSA 2019) conference in Sydney on Thursday that the requirement has already helped to provide APRA with additional insights into the scale and nature of the threats faced by regulated entities.

Of the 36 notifications, Summerhayes said many were data breaches involving the disclosure of personal information as a result of human error, such as accidental disclosure where an employee emailed a spreadsheet containing customer information externally.

"Others, more ominously, involved a compromise of staff or customer credentials resulting in the unauthorised manipulation of records, website defacement, and fraud," he said, later calling them "relatively minor".

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

"It's important to note that APRA's regulated flock would have been subject to vastly more attempted cyberattacks. These are just the ones that succeeded -- and that we know about."

Summerhayes said the number of incidents is not a cause for undue alarm, however, given there is a reporting population of almost 600 entities.

He said the financial sector broadly handles infosec incidents well, but said that APRA has also observed areas of common weakness, many of which the regulator has called out repeatedly.

"For example, we have identified basic cyber hygiene as an ongoing area of concern. This includes having systems for which the vendor is no longer providing support or security updates," he explained.

"The lack of a comprehensive security patching regime and poor access management practices are also common. Some institutions still haven't developed a complete inventory of their information assets within their IT real estate or put in place effective oversight where part of that real estate is managed by third parties."

This includes both cloud-based services and traditional support arrangements, all captured by CPS-234.

See also: APRA advises regulated entities to manage risks when adopting cloud

Under the new directive, an APRA-regulated entity must clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies, and individuals.

They must also keep and maintain a log that details the size and extent of threats to its information assets, as well as implement controls to protect its information assets log and undertake "systematic testing and assurance regarding the effectiveness of those controls".

Additionally, the entity must notify APRA of "material" information security incidents.

"You cannot secure what you don't understand and you are only as strong as your weakest link," Summerhayes said. "In short, there is room for improvement in the industry."

APRA's role, Summerhayes said, is to ensure regulated institutions are resilient to cyberattacks through prevention, detection, and response capabilities. He said the regulator will be increasingly challenging entities in this area through the use of data-driven insights to "prioritise and tailor supervisory activities".

"In the longer term, we'll use this information to inform baseline metrics against which APRA regulated institutions will be benchmarked and held to account for maintaining their cyber defences," he said. "We've set the floor with CPS-234 and will be enforcing these legally-binding minimum standards in a 'constructively tough' manner."

Internally, Summerhayes said APRA is also bolstering its ability to assess the cyber resilience of the institutions it regulates by improving its own capabilities, turning to third parties where necessary.

APRA also announced on Thursday that it would be undertaking a multi-year project to upgrade the "breadth, depth, and quality" of its superannuation data collection.

APRA's Superannuation Data Transformation aims to drive better industry practices and improve member outcomes by significantly enhancing the comparability and consistency of reported data, the discussion paper says.

It is expected the project will make it easier to scrutinise and reliably compare fund and product performance, especially in the choice segment of the market.

APRA said it intends to use this improved data to inform its own prudential activities, gain deeper insight into fund operations, and strengthen its oversight of the industry.

MORE SECURITY