Australian Companies Now Have 6 Months For APRA Compliance

Early in 2019, unknown threat actors attempted to hack the Australian federal Parliament’s computer network and the servers used by every politician, staffer, and security officer in Parliament House. Authorities believe there is a strong chance this could have been executed by a state-based actor.

Though investigators never found any proof that data was compromised or stolen in the breach, the hacking ultimately exposed the vulnerabilities that are present within the country’s federal digital infrastructure. With countries becoming more prevalent targets of hacker activity, it’s critical that their networks are strengthened to prepare for external attacks and that cyber risk management needs to become a national priority.

It’s common knowledge that data breaches are occurring more frequently and will continue to do so. In the last three months of 2018 alone, Australian authorities were made aware of 262 data breaches with the potential to expose the personal information (including tax numbers) of a significant number of Australians. This affected a variety of industries, including private health service providers, finance, legal, accounting and management services, private education providers, as well as mining and manufacturing.

In order to prepare for when a data breach occurs, organizations should be taking the appropriate measures to strengthen their cybersecurity programs like implementing ongoing threat education and awareness training for employees, instituting responsible data protection practices, and allocating sufficient security spending according to their risk appetite. If companies only implement risk management programs that encapsulate the ‘bare minimum,’ their program will not be set up to be both effective and scalable.

However, Australian companies are much less confident in their security controls than their global peers. According to Accenture’s recent Securing the Digital Economy: Reinventing the Internet for Trust report, only 22% of Australian companies who responded to the report (which surveyed 1,700+ CEOs and C-suite executives across the globe) said they are confident in their Internet security. In other countries worldwide, however, this figure reached at least 30%. This indicates that either Australian companies are especially prone to third-party risk, or it has been difficult for them to manage and mitigate that risk.

While data breaches continue to remain an issue for Australia, national regulations are starting to force the issue of cyber risk management. Both the Australian Prudential Regulation Authority (APRA) and the Australian Government Information Security Manual (AG-ISM) have impending regulatory standards that will affect most Australian businesses by early 2020. APRA regulations have been making headlines recently because of their impending July enforcement date.

So, how can organizations use a solution like security ratings to implement a cyber risk management program that aligns with these impending regulations?

APRA mandates that their regulated entities take measures to be resilient against information security incidents (like cyber attacks) by maintaining information security capabilities commensurate with the threat landscape. With the key objective of minimizing the likelihood of security incidents, BitSight provides automated and scalable (therefore resource efficient) security ratings that allow for rapid deployment, continuous monitoring of third parties (providing real-time data), historical data available to allow businesses to review their entire activities period, and ratings that consist of information on over 23 risk vectors, allowing the most insight into potential risk within an organization.

APRA also dictates that the Board of an APRA-regulated entity is ultimately responsible for that company’s security and need to ensure that their security and risk management practices scale with the threat landscape today. BitSight makes it easier for Board members to interpret and understand cyber risk in a quantifiable way and then make appropriate decisions accordingly.

The AG-ISM, issued by the Australian Cyber Security Centre, has compliance requirements for agencies and carries a lot of credibility to local companies and state agencies who are looking for guidance on how to build and maintain an acceptable cybersecurity posture— particularly encouraging organizations to focus on mitigating risk from the supply chain. BitSight helps companies implement continuous monitoring of their third parties to identify what cyber risk is present in their supply chain before integration using a data-driven, systemic, and repeatable technology. Additionally, BitSight provides insights into fourth-party risks posed by suppliers, as well as a direct comparison between potential third parties allowing security risk to become part of a tender process. Ultimately, BitSight provides an ongoing, near real-time rating of the security risk posed by third-party suppliers as part of AG-ISM compliant organizations’ third-party risk management approach.

As cybersecurity regulatory compliance becomes more of a focus for organizations across Australia, they need to feel confident in the risk management program they implement within their company. Using security ratings allows those companies to make security and risk decisions — both internally and across the supply chain — that scale at the speed of their business.

Learn how BitSight Security Ratings can help you meet and surpass APRA cybersecurity regulations.

Australia APRA Cybersecurity Regulations