Insights • 4 minutes read

Cyber security: 4 ways to keep APRA on side

Cyber Risk & Governance Specialist

June 19, 2023

If there’s one thing any regulated organisation knows, it’s that cyber attacks are growing in number and sophistication.

And alongside the growth in attacks comes a minefield of complex security legislation. Putting a foot wrong can result in catastrophic reputational damage—so what is the best way to both navigate the field and keep the Australian Prudential Regulatory Authority (APRA) on side?

Get into the mind of the regulator

Security breaches are almost always high-profile cases. Just a few months ago, JBS, the world’s largest meat processing company, confirmed it paid $11 million in ransom to cybercriminals to be able to resume operations in 13 of its meat processing plants. Recent years have also seen the emergence of so-called ‘mega-breaches’, which have seen the loss of more than 50 million records in a single event.

These breaches aren’t just costly for the organisations involved. They are deeply unsettling for customers who expect their sensitive data to be protected and embarrassing to the regulator who aims to keep the public’s records safe. As such, the regulator needs cyber-security to be a key consideration at board level—not just something that the techies will solve.

To satisfy the regulator, organisations need a business-wide understanding of cyber risks that go beyond just thinking about the technology involved.

They need to consider the human aspects of why a breach might occur as well as the very real consequences of activities unravelling in cyber space.

Humanise your approach to risk

Under CPS 234, an organisation must “clearly define the information security-related roles and responsibilities of the Board”. This means that the board must have the ability to adequately understand and manage cyber risks.

This means that security teams need to talk about risks in a way that makes sense to the board—what could potentially happen during a specific event and how that might impact on the business. For example, a new type of phishing attack that may cause inadvertent loss of customer data – then resulting in a breach of regulations, reputational damage and fines.

Controls also need to be clearly defined, documented and tested. For example, running regular staff education programmes. The need for testing and monitoring is constant for controls to remain ‘adequate’ in the eyes of the regulator – and these must also be understood and checked by the Board.

Marry strategy with stringency

This need to satisfy APRA requirements through robust cyber protection demands resources and security teams may find themselves stretched between the need to monitor and report, and the need to assess and update security controls.

Although most APRA regulated organisations will have an internal audit function who can assess and test existing controls, these may not have experience in knowing how to prove they are “maintaining an information security capability commensurate with those threats and vulnerabilities.” (CPS 234) – as this is an ever-moving goalpost.

Many APRA-regulated entities choose to work with a specialist third-party organisation that can offer in-house expertise in the areas of control, risk posture, assessment, and education for both the broader staff and cyber specialists. It’s their responsibility to ensure your company maintains its cyber awareness and response capabilities—with the added benefit of plugging the resource gap.

Choose a security partner

To satisfy the regulations, your security team will need to continually assess and respond to emerging threats, and at the same time be responsible for improving or updating controls in response. In APRA’s view, managing information security risk, information technology (IT) risk and operational risk are all necessary and complementary disciplines.

Key Insight To adequately report in a way that makes sense to both the Board and the wider business, these teams must understand the stringent local requirements under APRA: what needs to be reported, how it needs to be reported and what controls must be put in place.

The simplest way to do this is to use an Australian security specialist: but you should be picky. To both handle risk and stay compliant under CPS 234 you need expertise across cyber security, the general IT environment, governance, risk and compliance—and potentially even legal.

A good partner should also help you to embed security into the overall business strategy to maintain discussions with the board. In these respects, your partner could perform several roles within the business—acting as an in-house security operations centre, a compliance officer and an implementation lead—while keeping resources lean.