Concern for the security of information assets following the recent cyber incident at Medibank has prompted the Australian Prudential Regulation Authority (APRA) to step up its supervision of APRA-regulated entities for compliance with the Information Security Standard CPS 234.

Medibank confirmed that criminals claim to have stolen 200GB of data including names, dates of birth, Medicare numbers and claims data with codes relating to diagnosis and procedures. APRA’s UpGuard team reported in 2022 that the majority of data breaches ‘are the result of poorly secured software development practices’.

Fundamental questions for Boards of regulated entities include:

Do you know what data you are holding?

Do you know where it is?

How do you know it is safe?

And do you need to retain it?

APRA compliance recommendations

APRA recommends that regulated entities should undertake systemic testing and assurance at least annually to evaluate the effectiveness of their controls, including those managed by related parties and third parties.

To ensure that regulated entities are taking appropriate measures to protect their information assets, APRA has outlined specific steps that should be taken to comply with CPS 234. This includes:

• clearly defining information security-related roles and responsibilities
• maintaining an information security capability commensurate with the size and extent of threats
• implementing controls to protect information assets, and
• having mechanisms in place to detect, escalate and respond to information security incidents.

In the event of a material information security incident, entities are required to notify APRA no later than 72 hours.

How SW can help

As an increasing number of major cyber attacks become known, the importance of your information security systems and processes are paramount to ensure sensitive information assets are protected appropriately.

Our experienced experts have undertaken annual audits of these systems and processes across information security, compliance, risk management, and internal audit services. Working closely with clients to understand their business, security needs and particular risks, we conduct a full review with clear recommendations to ensure proactive steps are in place to protect the business and its assets.

We recommend best practice plans for CPS 234 and guide clients to implement information security assessments to ensure your cyber resilience.

Our support can include:

• A gap analysis of current practices against CPS 234
• Review of information security practices and third-party security assessments
• Independent security controls testing

Reach out to Laura Toscano or your Key Contacts here for an obligation-free discussion to find out how we can assist with your testing and assurance program.

Contributors

Laura Toscano

The post Medibank cyber attack prompts increased APRA supervision appeared first on SW Accountants & Advisors.

Barney Ling, Head of Information Technology at SW has compiled a detailed report on the key technology objectives and design decisions that went into the project, as well as reflections on the lessons learnt months after the project completed.

Prior to the pandemic a physical office refit had been in planning, however, the resulting disruption clarified our technology objectives and provided an opportunity to purpose build our office spaces to support hybrid working.

Our offices now not only look and feel great, but have also had a full technology uplift to support new ways of working. The technology uplift has included the following major elements:

• Wi-Fi only office
• Activity Based Working workstation design
• Advanced AV capabilities to support location equity
• A digital signage solution integrated with Teams rooms

If you are considering a similar initiative, please feel free to reach out with questions – we are only too happy to help and share our learnings.

Author

Barney Ling, Head of Information Technology

The post Future focused technology design at SW appeared first on SW Accountants & Advisors.