In the last few months, I've met with a lot of risk managers at few Australian financial institutions and the recurring question was: "How can we get CPS234 compliant?", seems like the more relevant question should have been: "How can we help our board of directors meet their responsibilities".
Or maybe, the people who should be asking about CPS234 are the board of directors member? Who ultimately will have the responsibility for securing their IT infrastructure?
Generally, the goal of any cybersecurity professional should not be only compliance with the regulations, what APRA is asking regulated financial institutions is to assume breach and knowing the attack surface. You cannot protect what you don't know about, that's why APRA has asked to maintain an up to date details of the IT assets and threats to these assets as well as implementing controls to continuously protect these.
So if you are affected by CPS234 I suggest asking the following questions:
- What are the high-value assets – private, sensitive, and/or mission-critical data – that an attacker will target once they find a way into the network?
- What security measures are currently in place to prevent the free, lateral movement of an attacker within the network (which have become flat with increased connectivity of apps and devices)?
If these cannot be answered and you think you are compliant, you probably should go back to the drawing board before the 1st of July.
The new instruction comes by way of APRA's CPS-234 Information Security standard [PDF] and will require boards of APRA-regulated entities to be ultimately responsible for ensuring that the entity maintains its information security.