The Missing Mandate In Australia’s Efforts To Protect The Finance Sector From Cyber Threats

Australia’s financial services industry regulator has a new information security standard that is set to kick in from July, opening up a potential pathway to a much-needed national intelligence-led attack simulation scheme for the industry.

The Australian Prudential Regulation Authority’s (APRA) incoming CPS 234 standard on information security, which late last year was fast-tracked “due to the urgency of the threat”, essentially compels relevant providers to have adequate measures in place to protect customer information and be resilient against potential cyber-attacks.

Combined with APRA’s recently announced new Enforcement Approach, which will see the regulator take a stronger role in enforcing regulatory compliance, the scene is nearly set for the shaping of a financial services industry with a progressively robust and world-leading security posture.

This is a good start. The new standard calls for APRA-regulated financial services providers to maintain an information security capability commensurate with the size and extent of the threats to their information assets. It also mandates that relevant entities also need to test the effectiveness of information security controls through a systematic testing program.

Thanks to the nature of this systematic testing directive, the incoming standard effectively opens up scope for a scheme that flexes one of the most important security tools in any enterprise’s toolkit: threat intelligence-led attack simulation.

However, while the CPS 234 standard creates an opportunity for such a scheme, there is yet to be any clear indication from APRA that it actually plans to introduce an all-important initiative to support the incoming standard in terms of real-world threat prevention regimes.

And the value of an intelligence-led attack simulation regime cannot be overstated. Unlike traditional penetration testing, intelligence-led attack simulation exercises involve gathering threat intelligence to identify the real-world adversaries and the critical economic functions they are targeting within actual financial institutions.

Using this regime, further intelligence is able to identify the tactics, techniques and procedures (TTPs) commonly employed by specific adversaries. This allows a penetration testing team to simulate those specific adversaries using the same TTPs through a number of attack scenarios.

Such exercises commonly find weaknesses in the people, processes and technology within an organisation, along with the organisation’s ability to detect, respond to, and recover from the simulated attack. As a result, simulation exercises almost always provide a better understanding of an organisation’s overall resilience to attack than other methodologies.

This is perhaps why the Bank of England in the United Kingdom established an intelligence-led assurance framework in 2015, with the European Central Bank since launching a region-wide initiative supporting intelligence-led attack simulation.

The Hong Kong Monetary Authority, meanwhile, requires financial institutions to engage in intelligence-led cyber attack simulation testing and the Association of Banks in Singapore’s financial industry best practices guidelines rely heavily on similar attack simulation practices.

Given that some of the world’s leading financial services industry markets appear to not only be in favour of, but actively mandating, intelligence-led attack simulation, it’s clearly a major regulatory initiative that needs to be implemented in one of Australia’s biggest and most important industry sectors.

Let’s not forget that APRA-regulated entities hold somewhere in the vicinity of A$6.5 trillion in assets. It is one of the most important industries to the Australian economy, and also one of the most highly targeted by cyber criminals.

With this in mind, APRA clearly needs to go one step beyond the CPS 234 standard itself and roll out a supporting scheme aimed at mandating an intelligence-led attack simulation regime among all APRA-regulated entities of a certain size.

But what would such a regime look like in practice? APRA could begin by looking to those markets around the world that already have relatively well-established schemes making effective use of threat intelligence-led attack simulation practices, such as those already mentioned: Singapore, Hong Kong, Europe and the United Kingdom.

Indeed, the United Kingdom’s central bank was the first financial regulator to implement a threat-intelligence led attack simulation regime. In 2015 the Bank of England created CBEST, an intelligence-led assurance framework.

The CBEST framework, which was designed specifically for financial institutions, requires a CREST-certified threat intelligence provider to identify a financial institution’s potential cyber adversaries and a similarly accredited penetration testing provider – or red team – to simulate attacks by such adversaries.

If we take the Bank of England’s example as just one template from which APRA can draw upon to create an intelligence-led attack simulation scheme, Australian financial services providers could very well end up going toe-to-toe with the global financial industry leaders in terms of security posture.

But it will take commitment and foresight by APRA to get Australia to that point. With the CPS 234 standard set to take effect, the opportunity for APRA to step up to the plate is now here.  

Tim Dillon

Area of Expertise – Tim Dillon is NCC Group’s Director of Technical Security Consulting for Asia Pacific. His areas of expertise include network and infrastructure security, web application security, social engineering and wireless and VoIP security. Professional Biography (0 of 500 max characters) – With more than a decade of experience in the information security industry, Tim Dillon has been involved in incident response and penetration testing in the banking industry and security consulting work for a number of consultancies. Tim moved into the consulting world as a security analyst investigating incidents in 2004, and later moved on to join a financial Institution CERT based in Singapore. He subsequently occupied further positions focusing on penetration testing in Australia. In his capacity as security consultant and as Director of Technical Security Consulting for NCC Group’s Asia Pacific business, Tim has led and delivered security assessments across a wide variety of industries. These include financial services, governments, mining, manufacturing, transport, healthcare and utilities. Including several Red and Black Team engagements since 2013.   Tim has written and presented on various topics over the years, including DDoS testing, cloud security, DNS, social engineering, transport assurance, and current and emerging threats.

Tim Dillon Web Site