Global and local regulation is helping to concentrate boards’ attention on cyber security risks, according to industry experts.
From today, boards of APRA-regulated entities are ultimately responsible for ensuring that their organisation maintains its information security.
The new prudential standard, CPS 234 Information Security, requires that financial institutions clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals. They must also notify APRA of material information security incidents within 72 hours.
“Cyber-adversaries are targeting Australia’s banks, insurers and superannuation licensees with growing frequency and sophistication,” APRA Executive Board Member Geoff Summerhayes said.
“The new standard and accompanying prudential practice guide will reinforce industry’s ability to withstand these information security threats, and respond effectively when breaches occur. It is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we’ve seen overseas, so they must be prepared.”
Jacqui Kernot, Partner – Financial Services, Cyber Security at Ernst & Young, said legislative changes will positively impact enterprise security, by mandating security by default and design.
“In Australia, the recently released prudential standard CPS 234 focuses on cybersecurity. This has had an immediate impact on the financial services community and our work with clients and their boards highlights that boards are engaged, curious and willing to learn about cyber,” Kernot said.
“There are some great questions being asked about what should be tracked and measured, how they can personally improve and what other companies are doing to improve their cybersecurity position.
“Certainly in financial services we are seeing very swift change within organisations, up to and including board level, in terms of their interest and engagement on cyber, which is really positive and will likely flow through to the rest of the market,” Kernot said.
According to Telstra’s 2019 Security Report, 45 per cent of CEOs and board of directors have a high or very high involvement in cybersecurity, with 15 per cent of respondents saying they brief the board and senior management on cybersecurity weekly and 33 per cent monthly.
Nick Savvides, Chief Technology Officer Asia Pacific at Symantec, says his company has received an increase in requests from boards for cybersecurity briefings.
“Regulatory changes like Australia’s Notifiable Data Breaches Scheme and work done by the ASX and ASIC have significantly raised the profile of cyber security within the boardroom. In fact, many boards are now regularly requesting direct briefings from cyber security companies like Symantec, and we have hosted board meetings in our Sydney Security Operations Centre for a number of companies to advise on cyber trends and risk strategies,” he said.
“Many boards have taken cyber from being a small line item reported on by either the CIO or CRO, to a major agenda item. Media coverage of high profile breaches that have had material impact on companies has driven some of this change. Boards have begun to understand that digital transformation programs within an organisation cannot be run independent of cyber security.
Chester Wisniewski, Principal Research Scientist, Sophos, says the progress made at boards level is slower than they would like to see.
“Organisations perceived information security to be an entirely technical problem that only existed to satisfy regulators. This resulted in a lack of comprehensive strategies, budgets and cross-organisation involvement,” Wisniewski said.
“We have moved beyond that now and the better prepared organisations now recognise that security is a cross-functional discipline. We are just beginning to climb this hill, but an increasingly large number are starting to come to terms with how important technology is to every part of their operation and have a better understanding of the importance of securing every part of those functions.”