A new wave of responsibility has recently surged. As of 1 July 2019, the Australian Prudential Regulatory Authority (APRA) introduced CPS 234. This new cyber security standard recognises that companies’ Boards and senior management are responsible for not only IT departments, but also information security and incident management.
CPS 234 is a mechanism for increasing trust in Australia’s financial institutions. The recipe for building and maintaining reputational trust is well sought after by arguably all businesses. We also know that trust in our people is a cornerstone of thriving teams (especially in a digital age). While there is no definitive playbook for trust, we can dissect the time sensitive periods where reputational damage is most likely to occur – for example, during a crisis.
A crisis is a circumscribed event that inevitably magnifies issues of trust and reputation. When left unmanaged, there are two risks:
1) reputational soft tissue can be bruised beyond repair; and
2) trust that had arrived on foot can leave in the metaphorical Ferrari.
In an attempt to mitigate injuries from 1) and 2) above, you can develop an appreciation for “crisis thinking” in advance. We can use a case study from the recent archives of cyber incidents to demonstrate how quickly an incident can escalate into a crisis in ASX listed companies.
A third-party example of order & chaos, then crisis
Business flourishes at the intersection of order and chaos. Order is controlled and includes the policies and frameworks that support existing systems. Order is the governance, processes and procedures. Chaos, on the other hand, is emergent, disruptive and unpredictable; it is often the crux of innovation. These two states ebb and flow over time. A third state – crisis – is a heightened circumstance of intensity, difficulty, and potentially danger. It can sometimes be the tipping point between positive and negative trajectories that result from chaos.
Take the example of the third-party recruitment system PageUp. In its simplest form, the system collects personal identifiable information from prospective job candidates and stores the information on a digital platform under prescribed information security policies and frameworks (order). The recruitment, development and retention of talent is a dynamic process – spanning B2C and B2B interactions (chaos). That being said, innovative technology-driven solutions expose businesses to certain (and uncertain) risks. You can imagine how chaos can turn to crisis in this example, if cyber security and privacy practices are not upheld. A version of this unfolded in 2018. The $35 million turnover company PageUp notified its customers of a data breach across Australia, Singapore and the United Kingdom (crisis). Further details were scant, and the full extent of the breach was never unearthed – leaving clients and customers similarly unnerved and in the dark. Organisations relying on PageUp had two options; cease use and cauterize damage or continue to operate knowing that a material breach of personal identifiable information would result.
Under CPS 234, organisations will be obligated to report material information security breaches within 72 hours. As of 1 July 2019, accountability to the new regulation could require a “cease and cauterize” response to the situation above. Left uncontained, a company has significantly reduced control in the event where data has been breached by a third party (compared to their own direct breach). The level of influence they could typically exert over the outcome is also diminished.
Containing a crisis: Common practice trumps common sense
By enacting CPS 234, APRA recognises that the Australian financial sector will not be immune to cyber-attacks. Now more than ever, organisational resilience requires appropriate incident (and to a lesser extent crisis management) processes are in place. While the stakes are high for organisations to get it right, there are some practices that can enhance preparedness.
As humans we operate off the assumption that common sense is common. This is an overstatement at the best of times (just think about that last time you tried to reason with your colleague or partner on these grounds – and were successful). If you then inject a situation with components of a cyber incident/crisis, falling back on this approach is even more unreliable yet. In order to be armed with operational and organisational preparedness, common practice must be embedded within the business before a crisis hits. Consultation with best-practice incident management responses for your organisation is vital. Core features include appreciation for potential risks and impacts, determination of process criticalities, and a clear escalation protocol when a cyber-attack becomes a crisis.
As of 1 July 2019, Boards and management of APRA regulated organisations have increased responsibility under CPS 234. To be further informed, and understand your organisation’s obligations under CPS 234, contact Gavin Freeman or Craig Goldberg at the Business Olympian Group:
Written by Emily Knowles and Sebastian Amor-Smith