APRA has released the first subset of findings in relation to its review of over 300 banks, insurers and superfunds it intends to examine this year, requiring APRA’s regulated entities to appoint an independent auditor to review their compliance with APRA’s CPS-234.
Similar to the pilot assessments performed in 2021, concerning gaps have been found across the sector.
Key findings include:
· incomplete identification and classification for critical and sensitive information assets;
· limited assessment of third-party information security capability;
· inadequate definition and execution of control testing programs;
· incident response plans not regularly reviewed or tested;
· limited internal audit review of information security controls; and
· inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.
Incomplete Identification and classification:
Data identification and classification is the process of recognising and categorising information based on its attributes and characteristics. It involves analysing data to determine its type, sensitivity, and relevance for organizational purposes. This process aids in effective data management, security, and compliance by enabling proper handling and protection of different data types, ensuring efficient utilization and safeguarding against unauthorized access or misuse. It also is utilised by technical security controls to enforce data retention, data leakage prevention and data flow capabilities.
Concerningly, common gaps found included a lack of classification policies or unclear criteria for labelling sensitivities, and a lack of asset registers or ad hoc or incomplete processes to review these registers. In addition, 3rd party usage of data and its classification was also a concern.
Information security controls of 3rd parties:
Assurance of 3rd party security controls is imperative in to understand the residual risk involved in partnering with other organisations, and commonly there was insufficient validation of both controls and/or their testing, as well as the alignment of criticality and sensitivity of assets held or managed by 3rd parties. A clear understanding of the assets at 3rd parties and a rigorous process to understand the security posture of those environments, both via self-assessment and independent assessors is recommended by APRA.
Control testing programs:
APRA has recommended uplifts in the methodical testing of security assurance programs and systems, as well as clearly articulated success criteria and appropriately skilled and functionally independent specialists to perform the control validation. This was apparent across user access reviews, physical security control tests and data loss prevention.
Incident response plans:
Incident Response (IR) plans were either not in place, not reviewed and/or not tested regularly to be sufficient. There was also a lack of definition around the roles and responsibilities of 3rd parties and a lack of maturity around the IR playbooks and the scenarios covered. APRA recommended more broadly plausible disruptive scenarios to be covered, including:
· Malware Infection including ransomware;
· Data Breaches;
· Compromise of staff or customer credentials;
· Denial of Service Attacks;
· Hack of an internet-facing platform;
· Website Defacement;
· Compromise by an advanced persistent threat.
Limited internal audit review of information security controls:
APRA found that there were limited reviews by entities internal audit teams of information security controls, and in some cases, the internal auditors were lacking the necessary skills to perform the validation. Recommendations were placed around targeting audit areas to those that have a material impact or review the scope and quality of the testing being conducted, as well as reporting and material deficiencies or absences of assurance to the board.
Notification of material incidents and control weaknesses
Common gaps found included inadequate notifications in a timely manner or not being enforced, including the requirements not being included in the entities policies, and contracts with 3rd parties also not containing requirements around reporting of material incidents and control weakness to APRA. This would require an immediate uplift in clear governance processes as well as improving the various mechanisms to identity those material control weaknesses, vulnerabilities and incidents.
It is encouraging to see APRA sharing these common gaps among the sector, as these security gaps and advice are consistent across many other sectors in the community and help guide customers to ensuring they have acceptable (and hopefully integrated) risk controls and visibility in place.