Operational resilience and data breaches

As we watch the ramifications of the recent widespread data breach continue to play out in the media and on the floor of Federal Parliament, there are strong parallels with the requirements of APRA Prudential Standards CPS 234: Information Security and the draft Prudential Standard CPS 230: Operational Risk Management.

The current situation in Australia is precisely what these standards are intended to address. If ever there was any doubt in the minds of Boards or Management as to why the focus on cyber security and operational resilience, then the current situation brings this into stark focus.

APRA-regulated ADIs are affected by the recent data breach through the temporary sharing of compromised customer data to enable enhanced monitoring and safeguards for impacted customers. To opt-in, eligible ADIs must provide a written CPS 234 attestation to APRA. Whilst ADIs are not impacted by the current breach, some of their customers are. An inability to provide this attestation may have consequences for an ADI’s reputation. This temporary arrangement is likely to be made permanent.

The purpose of CPS 234 is to “ensure that an APRA-regulated entity takes measures to be resilient against information security incidents”. CPS 230 expands the focus to “operational risks and disruptions”. The intention of these standards is not just on preventing incidents from occurring. As we heard on the radio a few mornings ago “everything is hackable”. As such, the cost of trying to prevent incidents from occurring will eventually become cost prohibitive and counterproductive. At a point, Boards will need to shift their focus from prevention to detection. Where this point lies will be a function of a Board’s risk appetite. Regardless of where the balance sits between prevention and detection, all entities need to be resilient – ensuring both continuity of operations and preventing/minimising and rectifying detriment to customers. Both are of equal importance.

The strategy to prevent/minimise and rectify customer detriment must consider two scenarios that could occur separately or simultaneously – loss of service and release of customer information. In the case of a data breach, it is necessary that an entity understands the nature of customer data held and how the customer will be impacted if that data is breached. As we have seen recently, replacing identification documents, and providing access to credit monitoring services is costly but necessary.

As hundreds of thousands of Australians can attest right now, communication plans are also critical, including how and when to engage with regulators, government agencies and most importantly, customers. The tone and content of these communications is critical. They cannot be written after the data breach but be available to release as soon as the data breach is detected.

Related to this, a scenario that many Boards may never have considered is “would we pay a ransom to recover data and if so, in what circumstances?”. This doesn’t need to be spelt out in a risk appetite statement but should form part of any critical incident response.

In our recent piece on CPS 230, we identified four things that the Board and Management should be focused on:

• Risk Management: Consider a broad, and serious, range of threats
• Internal Controls: Have an effective control framework to prioritise an operational resilience process
• Contingency planning: Prepare for the worst
• Third-Party Service Providers: Must meet the same standards as those delivered internally

Recent events have highlighted some other areas for Board and Management to consider:

• What is the appetite to invest in prevention vs detection of data breaches and what does this mean in practice?
• How effective is the data governance framework and how is this assessed?
• What is the nature and type of customer information held and why?
• What is the full extent of customer detriment should a data breach occur and what is involved to rectify this?
• Is there access to the appropriate crisis and communications expertise?

Our risk consultants are available to support your implementation of CPS 230, for more information please get in touch.

Learn more about how our Risk services can help you

Visit our Risk page