Interview: Does APRA’s attitude to cyber security get the job done?

The Australian Prudential Regulation Authority (APRA) released its latest Interim Policy and Supervision Priorities letter last week, with a number of points focused on cyber security readiness and maturity.

APRA requires that all entities under its umbrella “ensure they take steps to be resilient against the growing threat of cyber attacks” and that all relevant bodies measure up to “the standards expected of them under Prudential Standard CPS 234 Information Security”.

To get around the finer points of what APRA is trying to achieve, we were able to get some time with Yakir Golan of risk management firm Kovrr for a more in-depth analysis of APRA’s aims.

Cyber Daily: APRA has now released its Interim Policy and Supervision Priorities update, and cyber resilience is a big plank – do you think it goes far enough?

Yakir Golan: APRA’s newly enhanced focus on cyber resilience is a solid step forward in terms of making the Australian market more aware of the level of attention cyber security matters require in today’s highly interconnected digital era. By bringing 2019’s CPS 234 back into the spotlight, APRA is reminding organisations that there is a national governing body ready to check up on them and evaluate whether or not they have adequate cyber security governance practices and policies in place.

APRA explicitly states that the boards of regulated entities are ultimately going to be held liable for keeping information secure. Being held accountable by an external body is crucial, especially considering the already enormous amount of responsibility these high-level executives must attend to daily.

Given TechTarget’s Enterprise Strategy Group and the Information Systems Security Association’s latest research found that 40 per cent of all chief information security officers categorise their working relationship with the board as “fair or poor,” it’s safe to surmise that, without anyone to substantiate disclosures, cyber security would likely be deprioritised at these high-level discussions.

But the boardroom’s involvement in managing cyber risk is a critical, essential factor for effective cyber security management. Without their dedication and investment, resilience is going to be exceedingly difficult, if not impossible, to achieve. In addition, it will be essential for boards to ensure they have the skill set and expertise at the table to be able to make the right decisions and apply adequate oversight and challenge.

VIEW ALL

Whether APRA’s updates go “far enough” remains to be seen. Changing how cyber security is perceived within the organisational context will take time, so it’s a positive indicator that governing entities are passing legislation to build the momentum of this necessary shift.

CD: What are some of the changes in CPS 230 – coming into effect in 2025 – that financial entities need to be aware of?

Yakir Golan: CPS 230 focuses on operational risk as a whole, incorporating cyber risk as merely one factor. However, a key component of this regulation that financial institutions need to pay special attention to is the expectation of maintaining critical operations “within tolerance levels” even in the case of a severely impactful cyber event.

In practice, this means that executives need to be tangibly aware of the forecast financial damage cyber events may cause to the organisation in the upcoming year. Figures like risk appetite and tolerance can not be accurately accounted for if any aspect of operational risks remains too abstract.

Solutions like on-demand cyber risk quantification (CRQ) can easily translate the more technical nature of cyber risk into event likelihoods and associated monetary losses, offering budget-makers objective, data-driven insights to leverage when planning for the upcoming fiscal year and developing risk tolerance levels.

Another crucial change CPS 230 sets forth is that senior management and board members must ramp up their collaboration, with management alerting the board when any potential decisions affect an organisation’s resiliency.

In terms of cyber risk, this ultimately means that cyber security heads must learn how to communicate in broader business terms, an endeavour similarly aided by CRQ. Equipped with the financial ramifications a proposed program or new technology may have, boards are much more prepared to make the final call in terms of implementation or investment.

CD: When it comes to “material risk”, is the guidance clear enough on what constitutes a “risk”?

Yakir Golan: How to define materiality has been one of the most widely debated topics in cyber security over the past year. However, APRA offers a bit more guidance than other governing bodies, such as the US SEC, on what constitutes a material impact.

CPS 230 explains that a material impact is one that extends beyond the maximum time a business could tolerate disruption of service, maximum acceptable data loss, or the minimum service levels necessary to maintain critical operations. Accordingly, what an organisation determines to be a material event or risk is highly contextual.

On the other hand, the lack of a concrete definition has left many business leaders confused about what to report, inevitably leading to an investment of valuable resources into the delineation process that could otherwise have been allocated to proactively mitigating material risk.

This exceedingly common scenario is why APRA needs to offer a bit more guidance into what constitutes material, such as establishing quantified benchmarks that can serve as a baseline for what organisations need to disclose. Quantified thresholds provide the necessary starting point for determining materiality and facilitate a more consistent approach to managing material cyber risks and responding to material cyber incidents.

While materiality’s subjective nature demands there must not be too much prescription about how to determine it, APRA would do well to provide benchmarks that can streamline an organisation’s definition process.

CD: You’ve said that CISOs and other stakeholders need to evaluate their own risk tolerance when it comes to cyber attacks. Should APRA offer more guidance on this front?

Yakir Golan: Because, within the context of CPS 230, APRA loosely equates materiality impact with that which extends beyond an organisation’s risk tolerance in certain operational matters, it’s similarly important that the definition not be too prescriptive. Risk tolerance thresholds are dependent on a number of contextual factors, including but not limited to revenue size, industry, customer impact, and geographical area.

The more crucial aspect of evaluating risk tolerance – rather than offering more guidance – is the collaboration itself. Developing tolerance levels that accurately account for cyber risk requires that CISOs work closely with key stakeholders so everyone can maintain a realistic understanding of the financial damage the organisation is forecast to incur within the upcoming year.

APRA’s newest regulations are an attempt to foster these relationships between cyber security leaders and high-level executives, ensuring that risk tolerance levels are calculated based on objective data rather than subjective analysis.

If anything, APRA can make the importance of the relationship even more explicit, either in the regulations or in the proposed roundtables mentioned in the Interim Policy and Supervision Priorities update.

Yakir Golan began his career in the Israeli intelligence forces. Following his military service, he acquired multidisciplinary experience in software and hardware design, development and product management. For the past few years, he has been focused on bringing cyber risk management solutions based on advanced machine learning and artificial intelligence to the market. Golan holds a BSc in electrical engineering from the Technion, Israel Institute of Technology and an MBA from IE Business School, Madrid, Spain.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.