In a December 2016 speech ASIC Chairman Greg Medcraft, highlighted that ASIC have identified cyber resilience as a key priority, signaling increased regulatory scrutiny across this risk vector. ASIC view cyber resilience as one of the most significant concerns for the financial services industry and the economy at large.
More recently, in September 2017, ASIC Commissioner John Price stated, “ASIC expects that all boards are considering their firms’ cyber resilience. In particular we expect boards to understand what it takes to improve an organisation’s overall cyber resilience so it can survive and recover from an attack as quickly as possible.”
Cyber resilience is the ability to prepare for, respond to and recover from a cyber-attack. Resilience is more than just preventing or responding to an attack—it also takes into account the ability to adapt and recover from such an event.
Both senior regulators referred to the 2 key pieces of guidance ASIC has generated in the last few years. Specifically REP 468 Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd released in March 2016 and REP 429 Cyber resilience: Health check released in March 2015.
Importantly it is also highly relevant that Fund Managers and financial service providers are aware of their obligations as Australian Financial Services (AFS) licensees as summarised in ASIC “RG 104 Licensing: Meeting the general obligations” and/or as Responsible Entities per “RG 259: Risk management systems of responsible entities”. Increasingly relevant is the implication of the expectation of cyber resilience and the requirements in relation to Technological resources described at 104.90 – 104.93 of RG 104.
The 2016 Report 468 provides some real and practical guidelines for the ASIC regulated population. These include a set of 11 Good Practice notes; some key questions that a Board should consider and ask of itself; and a suggested self-assessment framework for organisations to consider using – the NIST Cybersecurity Framework from the US based National Institute for Standards and Technology.
1. ASIC Good Practice Notes
Those good practice notes and matters for Board consideration in relation to cyber resilience, as ASIC considers it, are summarised here.
Good Practice 1: Board Engagement
The board takes ownership of cyber strategy and ensures it is reviewed on a periodic basis to assess progress against success measures outlined in the strategy. Measures include time to detection, speed of response and recovery process.
Cyber resilience as a management tool
The management of cyber resilience is viewed by the board as a critical management tool for understanding risk status and making important investment decisions on cyber risk. It is seen as a tool for ‘enabling’ (not limiting) the organisation—by anticipating scenarios and building protection against them to take advantage of market opportunities.
Cyber resilience fluency
Board members are becoming increasingly educated in the language of cyber resilience and the potential threats to organisations, and are more readily able to ask risk and audit committees the relevant questions. This reflects an active understanding of the cyber threat landscape and the planning and testing of response scenarios: see the appendix for a set of questions for board members to consider when evaluating cyber resilience within their organisations.
Assurance processes are focused on end-to-end business processes. This is undertaken with a view to confirming that critical business operations, technology applications and infrastructure—and the supporting data—are tested as a whole rather than independently of business processes and technology functions. Ensuring that critical business processes can be reactivated if and when an incident occurs.
Good Practice 2: Governance
Organisations are tailoring traditional governance processes, to ensure ‘responsive governance’. In a rapidly changing cyber risk environment, the policies and procedures of today are not necessarily valid for long periods of time, and may not remain valid between typical annual review cycles.
This approach considers how adjustments can be driven by events and incidents, rather than by keeping to a fixed review period which might ignore the need for change that arises in between set periodic review points.
Alignment with the organisations overall governance framework
Cybersecurity governance is clearly and visibly aligned to other organisation-wide governance processes and procedures. This means that documented strategies, principles, policies, rules and procedures are in line with the overall governance framework.
Good Practice 3: Cyber Risk Management
Cyber risk management is increasingly becoming intelligence-led and moving to near real-time processes. This is occurring through automation and use of risk management tools that can integrate many sources of risk—including those from collaboration and information-sharing sources such as peers in the industry, police and government agencies.
Some organisations have taken the step of establishing specialist functional groups within their organisations to monitor and address risks in real time, often known as ‘fusion’ centres.
Good Practice 4: Third-Party Risk Management
Organisations have developed risk-based assessment methods and tools to ensure that third-party suppliers and partners are regularly assessed to guarantee compliance with required security standards. Some organisations are also using external service providers to carry out periodic assessments of partners and vendors.
Good Practice 5: Collaboration and Information Sharing
To gather intelligence, organisations are often engaging specialist third party organisations to undertake security monitoring and assessments. By employing the services of specialist individuals and companies operating in foreign jurisdictions, organisations are able to gather threat intelligence.
Organisations also have confidential information-sharing arrangements in place with other financial institutions, security agencies and law enforcement.
Good Practice 6: Asset Management
Centralised asset management system
Asset inventories for hardware, software and data, both internal and external to organisations, are managed through a centralised asset management system.
Configuration management is important for ensuring there is visibility of critical assets across the organisation, and for managing software versions and security patches.
Good Practice 7: Cyber Awareness and Training
Development of organisation-wide programs and strategies to ensure staff awareness and education—including for contractors and partners—which is effectively managed and monitored against success criteria.
Strategies based on a program of continuous development of knowledge and awareness—so that, through active vigilance, staff become an effective defence against malicious cyber activities by preventing incidents arising from attempted phishing attacks and other forms of social engineering.
Random staff testing
Random testing of staff enables the organisation to measure the effectiveness of cyber-awareness programs (e.g. a test email containing malware is sent to a staff member or group to test their response) and to take appropriate measures based on the response (i.e. staff may be required to undertake further training if they do not manage the situation in accordance with their training).
Good Practice 8: Proactive Measures and Controls
Organisations have already implemented, or have made it a priority to implement the ASD’s ‘top four’ Strategies to mitigate targeted cyber intrusions.
– application whitelisting;
– application patching;
– operating system patching; and
– restricting administrative privileges.
Additionally, the more progressive organisations have also sought to apply:
– Security as integral to the systems development lifecycle, sometimes known as the Security Development Lifecycle (SDL);
– Encryption for stored data and ‘data in transit’ based on a risk assessment of the assets in question;
– Filtering and monitoring of outbound email messages to ensure that data is not transmitted outside of the organisation’s network in error or through intent; and
– Highly restricted access to use of USB ports on computer equipment to minimise risks of data leakage or introductions of unauthorised software or files.
Good Practice 9: Detection Systems and Processes
Continuous monitoring systems
Continuous monitoring systems, often organisation-wide, are implemented to monitor events on an organisation’s network and systems using Security Information and Event Management (SIEM) technologies. SIEM technologies enable the detection and alert of anomalous user behaviours such as access to applications or files, as well as abnormal movement of information across the networks measured against a baseline reference of ‘normal’ activity.
Use of data analytics to enable organisations to integrate sources of threats and associated risks into a single view of the threat landscape in real time. Threats detected by the organisation, in addition to information collected through collaboration and information-sharing channels, are analysed to move response capability towards predicting malicious cyber activities.
Employing technical specialists to work on breaking into an organisation’s networks.
Good Practice 10: Response Planning
Organisations are adopting some of the following practices:
– Scenario planning: To predict the types of incidents that may occur based on their specific risk profile, and implementing and exercising response processes.
– War gaming: Some organisations are using war gaming techniques to better understand and plan their defence against malicious cyber activities.
– Proactive reporting to the board: Reporting of changing threats and the counter measures that are in place.
Good Practice 11: Recovery Planning
In the event of a data breach, organisations have actively determined when and how to notify customers—and there is a well-defined communication plan in place for managing stakeholders and public relations.
2. ASIC Suggestions For Board Consideration
Issues and questions for Board consideration include:
Question 1: Are cyber risks an integral part of the organisation’s risk management framework?
The board should ensure that cyber risk is an element of the broader risk framework and that exposures are recognised, assessed for impacts based on clearly defined metrics such as response time, cost and legal or compliance implications, and planned for to attract investment commensurate to a risk-based assessment.
Question 2: How often is the cyber resilience program reviewed at the board level?
Given the rate of change in the cyber risk landscape, and the speed at which a business can be severely compromised (potentially within hours or days); the board should consider whether periodic reviews (that are more frequent than for other risks forming part of the risk management framework) should be adopted.
Question 3: What risk is posed by cyber threats to the organisation’s business?
Different businesses will be exposed to different cyber risks and different potential consequences. It is important for the board to reflect on risks relevant to the particular business of the organisation. Without understanding the nature of the risk and its consequences it is difficult for a board to set a suitable risk tolerance for the risk and to ensure that cyber risks are adequately dealt with by the organisation’s risk management framework.
Question 4: Does the board need further expertise to understand the risk?
Although a board may not require general technology expertise, for many organisations it may be advisable to have one or more directors that have a strategic understanding of technology and its associated risks, or that have a background in cybersecurity.
In some circumstances, the board should consider the use of external cyber experts to review and challenge the information presented by senior management.
Question 5: How can cyber risk be monitored and what escalation triggers should be adopted?
Trying to identify a cyber risk may pose particular challenges. Organisations at the forefront of good practice are using intelligence-driven solutions to deal with this challenge.
For some organisations malicious cyber activities may be devastating to the organisation’s business operations, it is therefore important to consider what might lead to the provision of more detailed information on the risk to senior management and the board.
Question 6: What is the people strategy around cybersecurity?
Despite significant advances in cybersecurity technology; products, lack of staff awareness of safe cyber practices, social engineering and negligent behaviours remain a major source of cyber issues.
The boards should satisfy itself that there is sufficient investment in staff awareness training given its prominence as a source of risk—and because a collective effort against cyber threats will better serve an organisation.
Question 7: What is in place to protect critical information assets?
The board should be satisfied that critical information assets of the organisation are appropriately secure. There should be transparency surrounding the location of all critical assets (including third-party partners and service providers), how they are protected and how protection is being assured.
Question 8: What needs to occur in the event of a breach?
The boards should ask itself:
a) If and when a problem arises, what processes are in place for communicating effectively, internally and externally, and managing the situation?
b) Has there been a sufficient level of scenario planning and testing to ensure that response plans are valid and up-to-date, including with third-party suppliers and dependents?
The board may need to ensure that security and customer trust are central considerations as companies strive to deliver innovative products and services through technology.