Attack yourselves, says APRA. Here’s how.
APRA shook up the financial services industry again recently by effectively ordering banks to cyberattack themselves. Why - and what that means - remains a major concern for APRA regulated companies still grappling with cyber hygiene issues across the organisation in an attempt to comply with Prudential Standard CPS 234.
The introduction of CPS 234 on 1 July 2019 saw APRA-regulated entities carrying new responsibility for proving that they have taken measures to be resilient against cyber attacks and other security incidents. Furthermore, it’s not a one-off requirement. These measures must be continuously updated and maintained commensurate with the evolving threat landscape.
What brought about this new focus on cybersecurity?
Why? Largely because COVID-19 has “created new and increased opportunities for those with malign intentions to scam, deceive, steal and disrupt us,” says APRA executive board member Geoff Summerhayes. Indeed, ransomware grew by 10% in Australia and 20% globally during the height of the pandemic last year according to antivirus company Avast, corroborating Summerhayes’ categorisation of cyber crime as “an accelerating risk”.
As a result, managing risk by minimising the potential for security incidents to negatively impact business integrity, confidentiality and assets is now top of the agenda for APRA-regulated boards across the region. Hardly surprising, since APRA has committed to holding both boards and individual board members responsible for non-compliance with its standards, which includes the issuing of hefty fines.
Clear directives for compliance with CPS 234
The Australian financial services industry is a landscape of 170,000+ interconnected entities and markets. The threat to customers comes not only from the potential for a single company’s infrastructure to be compromised but also from the potential for adversaries to jump to third parties; a very real prospect in today’s world of multiple public cloud platforms and apps. Look no further than recent events involving SolarWinds Orion platform, which hosted the vulnerability that allowed attackers to move laterally to Microsoft Azure where, masquerading as standard Orion processes, they acquired the credentials to grant themselves access to anywhere within the broader customer ecosystem. Truly frightening. APRA recognised it before it happened, which is why it's insisting on compliance with rigorous cybersecurity standards. The upshot is, where companies have gotten away with coasting through compliance checks in the past, that’s no longer possible.
Among the directives of Prudential Standard CP 234 is point number 27, stating: “An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program.” Point 32 adds: An APRA-regulated entity’s internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties (information security control assurance).” That’s right. Financial services organisations are not only responsible for their own cyber resilience, but that of interconnected organisations.
And that brings us onto APRA’s call for organisations to hack themselves.
What does APRA mean by “attack yourself”?
Essentially this suggestion demands a shift from white team to red team approach to security checks. In other words, we are being asked to go from security assessors to (mock) attackers. The idea is that by asking companies to test their compliance with security standards to exhaustion - i.e. to put themselves in the shoes of a determined attacker, they will give compliance the due diligence it deserves rather than treating it as a checklist to be gotten out of the way.
Supply chain attacks of the nature of SolarWinds’ are absolutely on the agenda. As are phishing attempts, ransomware, spyware and other commonly used means for breaching the corporate infrastructure. The old days of penetration testing at a static point on time are long gone.
But, before you rush to a masterclass in ethical hacking, it’s worth noting point number 30 of Prudential Standard CPS 234, which states: “An APRA-regulated entity must ensure that testing is conducted by appropriately skilled and functionally independent specialists.” APRA wants this to be done professionally and without bias.
How to engage in ethical hacking
So, if you’re planning on hacking yourself, where do you start?
It makes sense to use the APRA framework you’re testing yourself against as a starting point: namely Prudential Standard CPS 234,. Additionally, Prudential Practice Guide CPS 235 applies to ADIs (authorised deposit-taking institutions) insurance companies and super funds managing data risk.
With these to hand, commissioning a gap analysis through an independent third party well versed in Governance, Risk & Compliance (GRC) will reveal those vulnerabilities that require your immediate attention.
Next, work with your GRC specialist to devise a compliance strategy including a set of controls that meets your organisation’s bespoke risk requirements, as well as APRA’s needs.
Remember to work with your GRC specialist to set benchmarks for monitoring ongoing compliance. The fact is, nobody can certify you compliant. In this world of rapidly changing infrastructure, compliance is an ongoing state. As such, it’s essential to set a cadence for regular checks and updates.
Does compliance have to be so hard?
In a word: no. Good compliance is fast compliance. There are logical paths to establishing a baseline of secure, financial controls to underpin business continuity. These controls empower boards to confidently oversee the direction in responding to significant cyber events.
However, we’re in somewhat new waters given the meteoric pace of digital transformation during recent years; not least during these last 12 pandemic months. There’s a great deal of confusion and some unanswered questions that risk leading organizations into a time and cost sink. For example, should compliance be the same for an SME (small to medium enterprise) than a large enterprise? There’s a strong argument for the imposition placed on smaller organisations being reflective of the size and relative risk of the organisation. I’m not talking about making concessions; rather understanding the unique environments of various groups and provisioning them with the right tools and processes to align with those circumstances.
In truth, nobody knows yet how this will play out in the future. But at least for today, companies are well advised to seek expert advisory from GRC specialists in achieving good and fast compliance.
A final word on cyber crime
There’s no doubt that compliance with APRA standards and regulations has never been more critical or more urgent. And as ludicrous the notion of things like hacking rewards and competitions (which is essentially what’s emerging from the call for companies to attack themselves) this new focus on compliance with security standards is long overdue.
Will it stop us from getting attacked? No. Malicious actors are a smart bunch. It will, however, arm us with the right procedures, testing programs, monitoring/management processes, control environments and ability to respond rapidly, before harm is done.
And, that’s gold.
If you are interested in knowing more about APRA compliance, we would be more than happy to answer your questions. Get in touch via our website for a call back from one of our GRC specialists.