Between April 2018 and April 2019, Australia witnessed almost 950 data breaches that cost a whopping $7.8 billion, as reported by the office of the Australian Information Commissioner. More recently, Australian Prime Minister Scott Morrison stated that the country was being targeted by a massive, nation-sponsored attack.
“This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure,” he said.
In response, the Australian government have beefed up their cybersecurity budget with a $1.3 billion investment and a recent legislation CPS 234.
The COVID Catalyst
CPS stands for Cross-Industry Prudential Standard (CPS) 234. While it has been around since 2018, it was in November 2020 that the regulatory body decided to double down on its enforcement.
What made them take notice, you ask? The COVID crisis to a great extent.
The pandemic had the enterprises accelerate digitization and moving to the cloud. Most businesses got restructured for online operations. This surge in global cross-border communication served as a lucrative opportunity for cyber pirates to cash on. Nearly every organization observed a sizeable increase in the frequency of spyware and trojan attacks masked under interactive coronavirus maps and websites.
In their most vulnerable state, it’s understandable how people can fall prey to fishing emails claiming to contain helpful information on COVID, say numbers on the latest outbreak or new exposure sites in your area.
I’ll let numbers do the talking. At present, the ANZ bank’s systems are blocking 12 million malicious emails a month - triple the number of emails they were blocking before the pandemic. Each of those emails potentially unlock the door to reach protected data.
Needless to say, it was about time the authorities fortified their data.
What is CPS 234?
CP234 is an Australian cybersecurity regulation that sets minimum standards for data security under the supervision of Australian Prudential Regulation Authority. It works in tandem with their 2020-2024 Cyber Security Strategy. The motivation is simple — beef up the cybersecurity resiliency and safeguard sensitive data.
CPS 234 has four essential requirements:
-
Clearly outline the information security-related roles and responsibilities across the board, senior management, including governing bodies and individuals.
-
Clear identification and classification of all Information assets according to their risk criticality ratings with impact on loss and availability, risk sensitivity and impact of the loss of confidentiality and integrity.
-
Implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls.
-
Promptly notify APRA within 72 hours of material information security incidents.
So, the institutions that fall under CPS umbrella must now focus more on their capabilities to detect breaches. Steps to be taken once they detect any. How do they respond to it? What is the plan for recovery? It essentially focuses on the overall element of cyber resilience.
Who Needs to Comply?
CPS 234 applies to all APRA regulated legal entities (mainly finance, banking, and insurance sectors) including:
-
Banks, credit unions, and other authorized deposit-taking institutions (ADIs)—including foreign and non-operating holding companies
-
Private health insurance companies
-
Organizations licensed under RSE based on Australian SIS Act
-
General insurance companies
-
Life insurance companies—including membership societies, both foreign and domestic
-
Any third party that manages the information held by an APRA regulated company also needs to comply.
CPS 234 In Sight: CPG 235 On Mind
As enterprises gear up to enhance their security posture via. CPS 234, a smart move will be to begin with assessing how they apply the Australian Privacy Principles and comply to CPG 235 Managing Data Risk.
CPG 235 broadly comprises 7 aspects of data governance to be implemented by banks as part of their enterprise data governance framework.
-
Take a systematic approach to data risk management
-
Implementation of Data Management Framework
-
Promote Staff Awareness
-
Managing Risks throughout Data Lifecycle
-
Address risks arising from outsourcing or offshoring of data
-
Managing Data Quality
-
Data Risk Assurance
When you merge the compliance requirements of both CPS 234 and CPG 235 in your data security plans, your data fortress becomes nearly impenetrable.
How Can Fortanix Help?
Fortanix Data Security Manager SaaS boasts FIPS 140-2 Level 3 security policy with unmatched flexibility and scalability – delivered as a service. Amid a plethora of other benefits, here are the top three ways in which it helps:
1. Protect data irrespective of where it’s residing
Fortanix DSM SaaS with integrated hardware security module (HSM), key management, encryption, shared secrets, and tokenization capabilities can facilitate data security at every level of the enterprise data stack, including applications, database, file system, full disk, and network-attached storage levels.
2. Centralized key management and security policies on-premises and multi-Cloud
Key management strategy is a crucial piece of a fool-proof data security plan. Fortanix delivers complete key lifecycle management as a service, to ensure secure and consistent key management across on-premises and multi-cloud environments. Applications and databases converge upon a single source of cryptographic services, and the security team gets a single pane of glass view of the entire ecosystem.
3. End-to-end control and visibility
Fortanix also provides organizations with the option to bring your own key (BYOK), bring your own key management service (BYOKMS) and bring your own encryption (BYOE), also known as hold your own key (HYOK). Businesses retain complete control of their encryption keys with centralized management, consistent access control policy, and centralized audit logs. With BYOKMS and BYOE, customers can also store cloud keys externally to help meet the most stringent compliance requirements.
While those are few of the many security features, here are the benefits you reap when they are ‘delivered as a service.’
1. Pay as you go
2. Available on demand
3. Get started within a few clicks
4. Zero hardware dependency
5. Zero logistical constraints
6. Super scalable and highly integrable
7. Guaranteed SLAs
8. High availability
9. Much faster time to benefit
10. Purpose-built for the cloud-first world
I understand you may have plenty of questions, and we would love to take those.
You can begin by reading the datasheet here.
Want to see us in action? Sign up for a free demo.