With regulated financial institutions beginning to scope and plan for a CPS 234 audit, APRA’s release of pilot audit feedback is timely.
Audit outcomes have “reinforced APRA’s view that boards need to strengthen their ability to oversee cyber resilience… APRA expects boards to have the same level of confidence in reviewing and challenging information security issues as they do when governing other business issues.”
Reviewing and challenging information reported by management on cyber resilience
The pilot highlighted that the Board’s effectiveness to review and challenge is reliant on the quality of security information reported by management. Equally, boards may need to expand their skillset to cover these areas, which management should consider in the overall training of the organisation.
Reporting to the Board on cyber risk is not an insignificant task given the non-traditional nature of cyber risk. Cyber risk often pushes Boards outside their comfort zone. Interpreting the reports and being able to understand threats, risks and the right questions to ask is especially difficult for Boards which may not have the speciality skill set necessary to challenge the information being reported.
APRA has outlined five questions to guide the board in engagement with management, covering vulnerabilities, system capability, regularity of testing and scenario planning.
For management, CPG 234 outlines some key areas for reporting, including capability, incident response, control effectiveness and education. In line with the above, management should ensure that board consideration and “challenge” is well documented in meeting minutes.
Ensuring the topic areas mentioned by CPG234 are supported by quality metrics, free from technical jargon, mapped to financial impact and supported by real wold examples will help to improve the Boards ability to understand and challenge the reports and build their cyber risk management skills.