Applying an Australian Regulator’s Cyber Audit Findings, in a UK Context
- Piers Wilson, Head of Product Management at Huntsman Security
- 25.09.2023 07:30 am #security
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies for the most part, the observations are undoubtedly relevant and the resulting advice instructive.
It would be wrong to think UK financial organisations, listed entities, utilities or organisations more broadly are more or less secure that those in the US or AsiaPac; the regulatory regimes are just different. That said, we are all facing very much the same threats to our business, the majority using the very same technology platforms. As we recently learned from the joint international security agency list of Top Vulnerabilities, any cyber security issues, like the constant stream of vulnerabilities and skilled staff shortages, are ubiquitous.
Undoubtedly there are varying levels of technical and cyber security maturity from country to country and business to business; but that doesn’t mean we can’t accelerate our cyber security maturity by learning from one another.
The Australian Findings
It took a “tripartite cyber assessment” or formal security control assessment by APRA to identify that a sample of financial organisations in fact had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. These assessments were advertised in advance, so why were there gaps? Where is the failure?
Clearly the common practice of unsubstantiated risk assessment and anecdotal reporting is inadequate and can lead to misplaced confidence by cyber security stakeholders and hidden cyber gaps.
It is concerning if, as the results suggest, some Australian financial organisations are willing to “chance it” when it comes to their cyber security resilience.
In July 2023, APRA published the initial findings of its Information Security Prudential Standard CPS 234 compliance audit of banks, insurers and superannuation trustees. The results are concerning.
- Incomplete identification and classification of critical and sensitive IT assets
- Limited assessment of third-party information security capabilities
- Inadequate definition and execution of security control testing programs
- Lack of incident response plan testing and review
- Limited internal audit reviews of information security controls
- Inconsistent reporting of material incidents and control weaknesses to APRA, in a timely manner.
Some of these “gaps” go directly to the operation of the cyber security governance process. It’s right that regulators should remind directors about their responsibilities for cyber security and oversight. But these reminders appear to be falling on deaf ears. Given last year’s cyber-annus horribilis in Australia, surely cyber governance is a priority.
Perhaps its timely to ask whether British financial service companies are the subjects of similar security gaps? Can we assume that UK PLCs are better or worse than companies operating south of the equator? The likelihood is that the same mistakes are being made by business in both jurisdictions for the same reasons. The balance of probabilities would suggest that anecdotal cyber risk assessments and cognitive bias are not bound by geography.
In late June 2023, the Australian Bureau of Statistics (ABS) published a report on Characteristics of Australian Business 2021-2022, which alarmingly found that as few as 20% of Finance and Insurance Services businesses had upgraded their cyber security software, standards or protocols in the last year. That, despite 57% of the sector actually experiencing some sort of impact from a cyber incident during the period.
Not dissimilar concerns were raised in the UK Government Cyber Security Breach Survey 2023 when it was observed that across the last three survey periods, some cyber security controls have seen consistent declines among businesses and that cyber security had dropped down the priority list.
What does this say about our cyber security intent?
It’s entirely likely that the security gaps being observed in the finance sector are due to a lack of investment in cyber security systems and processes, and a lack of appreciation for the dynamic and evolving nature of cyber resilience. This lack of investment in Australia in cyber security software, standards and protocols points to cyber resilience improvement being a long way off.
One reason progress in cyber security is so slow is its complexity. In the UK the National Cyber Security Centre (NCSC) suggested recently that the job is bigger than many organisations think, “data flows have ballooned… and the cyber security landscape has become even more complex.” Effective cyber security now means regularly dealing with complex modern IT systems; with cyber security management practices that are no longer adequate. And the persistent hostile threat environment is making it harder to deliver improved cyber resilience at speed and scale. Cyber security is quickly becoming a data analysis problem.
Effective cyber security risk management means all-in
Cyber risk management practices of many organisations are rightfully based on their own perceived levels of exposure, suitability of controls and risk appetite – that’s the whole idea. The problem, however, is when the absence of suitable and reliable cyber security assessment process means organisations can’t be confident about their security level or that of their potential business partners. Without a recognised system or standard “measure” to confirm an organisation’s relative levels of cyber resilience, it all gets too vague. And in an interconnected world this can quickly translate into systemic risk.
For that reason, organisations need to incorporate current cyber risk management and industry best practices into their cyber governance process.
Whether in Australia, where APRA regulates financial organisations, or anywhere else risk management stakeholders need clear visibility of their digital assets, they need to be able to identify any gaps that emerge in the security controls that protect those assets. In fact, APRA’s Prudential Practice Guide CPG 234 recommends that organisations “actively maintain an information security capability” that addresses “changes in the vulnerability and threats” environment. It continues, they should be guided by “established control frameworks and standards.” Vulnerabilities and the threat environment are clearly exploding; and a principle-based security standard without the inclusion of established control frameworks to instruct and guide the operational management of cyber security, is inadequate in the current risk environment.
What is worse than a security control gap? A cyber-iceberg
The upside of having these security gaps identified by the regulator, is they’re now reported to risk stakeholders and their prognosis for mitigation is good. Without rigorous and systematic risk assessments or evidence-based processes, or a sophisticated assurance program like the one undertaken by APRA in this study, these serious vulnerabilities would have remained like an armada of cyber icebergs. Invisible to the organisations’ customers, their business partners and the regulator itself.
In late 2022, in its annual report to the Australian Government, The Cyber Security Industry Advisory Committee recommended that a systematic empirical, data-driven cyber security maturity measurement system be adopted nationally. Driven by concerns about the reliability and accuracy of widely-used anecdotal assessment methodologies (and the potential for cyber gaps we’ve spoken about), it sought to address the need for better quality evidence-based risk assessment practices.
That sentiment was ultimately supported by the Australian Cyber Security Centre (ACSC) shortly thereafter, when it highlighted the importance of quantitative assessment and evidence-based measurement over subjective interviews, questionnaires and intuition – the very places where invisible gaps can lurk.
The UK’s NCSC too, recently made similar pronouncements when it favourably contrasted the reliability of quantitative data-driven cyber security assessment with less reliable anecdotal or intuition-based methods. Using empirical information to support evidence-based decision making, it argued, will transform cyber security management practices. These data-driven techniques also better address the growing speed and scale requirements of current day cyber security assessment and reporting.
Meanwhile in the US, SEC rules for listed organisations are requiring greater diligence in both incident reporting and providing visibility on the state of their risk management controls. The materiality of these risks is one question, but the ability to quickly assess issues and clearly express their nature and implications to the business and its stakeholders means security and executive teams are on notice. They will need a functional and transparent evidence-based risk management programme to meet these more stringent regulations.
Data-driven empirical analysis for evidence-based cyber security decision making
How cyber security gaps are identified is key to how organisations will effectively navigate the threat environment into the future. It took a robust assurance process for APRA to identify the very real threats lurking under the surface in their sample cohort. And now NCSC in the UK and SEC in the US are shifting to the same viewpoint. With these sorts of gaps potentially lurking wherever subjective questionnaires or unsupported anecdotal cyber security assessments are undertaken; organisations need better processes and practices to limit cyber gaps in the future.
Stakeholders at every level are seeking greater confidence in the cyber maturity levels of their supply chain. Zero trust principles – designed to eliminate implicit digital trust – speak very much to the demand for a greater level of confidence in the cyber risk controls that protect our systems and ultimately our core assets. The adoption of accessible systematic and objective cyber resilience measurement is needed to limit the moral hazard created by those employing less diligent cyber security practices.
There’s talk of more informed cyber security assurance processes, ones that examine any evidence for the purpose of providing an independent, and objective assessment of risk. That’s a start of course, but without a systematic scientific process to verify that evidence, “the exchange rate for a cyber risk” is different for each of us. It’s the steps that remove subjectivity and cognitive bias and replace it with systematic process and timely empirical measurement that will deliver a trusted basis for cyber security decision making.
Effective cyber security is all about managing the detail in all the noise. Systems are complex, skilled staff are hard to find, data volumes are growing and you’re looking to protect every last potential point of unauthorised access. Gaps are a problem, and current cyber security practices can’t substantiate your ongoing cyber resilience – especially if they are built on subjective judgments or imprecise standards.