The Australian Prudential Regulation Authority (APRA), the licensing authority for banks, employer-sponsored retirement (“superannuation”) funds, financial services and insurance companies, is placing responsibility for cybersecurity squarely on board members under its regulation CPS 234.
In a speech to the Financial Services Assurance Forum at the end of 2020, an APRA official said that “boards frequently don’t understand or are not adequately informed about cyber risks [and] we’re no longer prepared to simply take their words for it.”
FAIR Institute Sydney Chapter founder and co-Chair, Denny Wan, tracks the cybersecurity regulatory climate in Australia, and says APRA is effectively pushing its regulated entities toward integrating cyber risk with enterprise risk management, laying the groundwork for wider adoption of the FAIR standard for cyber risk quantification. Denny is a principal consultant at CyberCX and a postgraduate researcher at the Optus Macquarie University Cyber Security Hub.
“CPC 234 is quite a game changer,” he says. “It is the first and only regulatory framework in Australia and perhaps globally specifically tasking board members to demonstrate the sufficiency of cybersecurity and that’s very difficult to do. It probably goes beyond the SEC guidance for organizational cyber risk disclosure.”
Denny answered these questions about the tightening cybersecurity regulation in Australia:
What’s the background on CPS 234 and what’s new in the latest statement from APRA regarding board responsibility?
Denny says that the focus on cyber risk management started in 2013 when APRA issued CPG 234, a guide to best practices in cybersecurity amangement. The new cybersecurity standard CPS 234 was published in November, 2018, and came into enforcement in July, 2019. CPS 234 demands that board members ensure that cybersecurity for an organization is “commensurate” with its threats.
The speech in December, 2020, delivered by an APRA board member “expressed their frustration,” Denny says, that board directors hadn’t stepped up to the requirement.
APRA is demanding board members “tell us why you think your security is of commensurate strength. It’s your problem to figure out how.” APRA has not issued any guidelines on materiality (the standard for cyber risk disclosure at the SEC) nor has it taken any enforcement actions yet that might give a clue on regulator expectations.
The agency has demanded that the regulated companies bring in independent auditors during 2021 to attest to the quality of their cybersecurity programs. Denny disagrees with that approach. “The gap is not in the lack of independent audit, as asserted by APRA. The gap is in the deficiency in prioritizing their remediation program. That’s where FAIR could help the board members in answering the ‘commensurate’ question.”
Justifying a security program based on loss exposure sounds exactly like a job for FAIR. How would you suggest that the APRA-regulated companies use FAIR in compliance with CPS 234?
“Understand and communicate cyber risk in dollar values and integrate cybersecurity management into ERM as described under NISTIR 8286,” Denny replies.
The National Institute of Standards and Technology (NIST) publication NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management, is a roadmap that any organization could follow to achieve a cybersecurity program that board members can understand and communicate to regulators because it is in line with the rest of risk management in the enterprise.
NISTIR 8286 not only recommends FAIR and quantification as a tool to “better prioritize risks or prepare more accurate risk exposure forecasts” but calls out many of the techniques of FAIR practitioners including risk prioritization, risk scenario modeling, Monte Carlo simulations, and, of course, quantification of cyber risk in financial terms, all with the goal of lining up with enterprise risk management.
“Board members will resonate with the approach in NISTIR 8286,” Denny says, “and that gives a blueprint and a connection to FAIR. The ERM community ultimately will be responsible for assisting board members to make an attestation on cybersecurity and I foresee the ERM community will start reaching out to the cyber risk community following the 8286 roadmap.”
For more guidance, read ‘Building an APRA CPS 234 Compliance Template’, co-authored by Denny Wan and Michael Collins and also watch the video replay of Denny’s presentation ‘Decision Making with FAIR - Quantification and The Rise of Class Action Lawsuits’ at the 2020 FAIR Conference (available here to FAIR Institute members). Membership to the FAIR Institute is open at no cost to qualified risk professionals.