The Australian construction industry has undergone one of the most significant digital transformations in its history. Building Information Modelling (BIM), cloud-based project management, IoT-enabled devices, remote site connectivity and integrated supply-chain platforms have improved efficiency, collaboration and onsite safety.

But the digital evolution has brought a new and rapidly escalating challenge, construction cyber threats.

Why? This digital footprint, while transformative, creates a much wider attack surface for threat actors.

According to the Australian Federal Police and multiple global and local reports, the construction sector has become one of the most targeted industries for cybercrime. The Australian Federal Police distributed a media release in October 2025 warning of the significant increase in scams hitting the Construction sector.

For Australian construction companies including large head contractors, mid-tier builders, engineers, architects, subcontractors and suppliers, the threat landscape is intensifying. And without stronger cyber resilience, the industry risks becoming one of the easiest targets for cybercriminals within a short time period.

Why Attackers are Targeting Construction

Construction is now one of the top three most targeted sectors globally for ransomware. Cybercriminals see construction firms as:

1. Time-pressured – project deadlines create urgency, making companies more likely to pay ransoms.
2. Data-rich – building plans, smart homes and offices, access credentials, project financials and bank account details are extremely valuable.
3. Under-protected – many construction companies and contractors rely on outdated systems, legacy networks, or unmanaged subcontractor connections.
4. Highly interconnected – multiple vendors, suppliers and subcontractors increase the number of entry points.

With billions of dollars in infrastructure, commercial and residential projects underway across Australia, the stakes have never been higher.

When Construction Cyber Threats Become Reality

In recent years, the construction sector has experienced several high-profile cyber incidents that highlight the industry’s growing vulnerability.

In Australia, Goodline suffered a major ransomware attack in 2024 after criminals gained access through compromised credentials, stealing over 600GB of sensitive corporate and employee data.

In early 2025, mid-tier builder Novati Constructions was listed on the Lynx ransomware gang’s leak site, with attackers claiming to have exfiltrated contracts, financial data and internal reports.

Internationally, Chicago-based contractor Skender Construction was hit by a ransomware attack in 2024 that encrypted critical project information and exposed personal data belonging to more than 1,000 individuals before the company restored systems from backups and notified affected parties.

These cases underscore the escalating frequency and impact of cyber-attacks across the construction ecosystem, from major contractors to engineering firms and mid-sized builders alike.

Construction Cyber Threats Come from Many Angles

One of the biggest misconceptions in construction cyber security is the belief that the primary risk comes from a malicious external hacker. In reality, threats come from almost every corner of a construction project.

From our experience in post cyber incident investigations, these are the biggest threat vectors impacting Australian builders:

a) Insecure subcontractors and suppliers

Subcontractors often connect to head contractor systems, share files, or use project collaboration platforms. Many operate with minimal cyber security, outdated devices or weak password policies, turning them into high-risk gateways for attackers.

b) Legacy and outdated systems

Many builders rely on old project management platforms, access control systems, servers and network infrastructure, SCADA (Supervisory Control and Data Acquisition) / operational technology and outdated Microsoft or mobile device versions. These systems often lack modern security patches and become easy entry points.

c) Unsecured IoT devices on site

Internet of Things (IoT or Smart Devices) devices are increasingly used to monitor equipment, track workers, manage environmental conditions, control machinery and secure site access. But many IoT systems lack encryption, authentication or secure configuration, leaving them open to exploitation.

d) Human error & social engineering

Insurance industry cyber claims highlight that more than 80% of breaches begin with a human mistake, not a technical failure. Phishing emails, invoice fraud, fake subcontractor communications and compromised file-sharing links are rampant in the industry.

e) Compromised cloud services

Cloud collaboration tools are essential for modern construction. But poor access controls, shared logins, dark web data breaches or unsecured mobile devices create vulnerabilities that attackers regularly exploit.

The Consequences Hit Far Beyond IT

Cyber incidents in construction not only expose data, they disrupt entire project ecosystems. According to industry reports, successful attacks lead to:

a) Project Delays & Operational Shutdowns

Ransomware can freeze project schedules, site access systems, procurement and logistics, design files and BIM models and communication tools. In major projects, every day of delay can cost millions.

b) Cost Overruns

Cyber incidents often cause emergency IT recovery costs, ransom payments, penalty payments for delays, rework due to corrupted files, unplanned labour and overtime, and forensic and legal expenses.

c) Loss of Contracts and Trust

Contracts, especially in government and critical infrastructure, may be revoked if contractors suffer significant cyber breaches and trust in their systems is lost.

d) Legal, Insurance & Compliance Exposure

With increasing regulatory attention and mandatory breach notification laws, construction firms may face regulatory scrutiny, investigations, and litigation.

Prevention Against Cyber Threats is More Effective Than Remediation

According to research, the cost of proactive cyber protection is a fraction of the cost of responding to a major breach.

The most effective strategy is early detection. Identifying vulnerabilities (such as weak subcontractor connections, exposed cloud storage, unpatched devices, or poor security protocols) before attackers exploit them is the key to resilience.

The following strategies can identify vulnerabilities early and significantly reduce both the likelihood and impact of an attack:

• regular cyber risk assessments
• security awareness training for staff and subcontractors
• improved authentication policies
• patch management
• reviewing access controls
• incident response planning

Why a Tailored Cybersecurity Approach is Needed in Construction

Construction is unlike any other sector. With multiple sites, dispersed teams, diverse hardware/software, and complex supply chains, a generic cyber security solution simply does not work. Tailored strategies must consider:

a) Multi-site environments

Each site has unique requirements, equipment, connectivity and contractor access.

b) Distributed workforce

Engineers, project managers, site supervisors and subcontractors work across different locations and systems with varying sensitivity.

c) High subcontractor dependency

Each subcontractor introduces a new set of potential vulnerabilities.

d) Operational technology (OT) & IoT complexities

Integrating physical equipment with digital systems increases risk.

e) Hybrid digital ecosystems

On-premise systems, cloud apps and mobile devices must all be secured cohesively.

Clearly, construction demands a layered, customised cyber security model, one that addresses human, technical, and supply-chain vulnerabilities holistically.

What Construction Cyber Threats Indicate

Australia’s construction industry continues to move quickly into a digital future, but with that progress comes real, business-critical cyber risk.

Cyber-attacks are no longer hypothetical. They are happening every week across the sector, impacting builders, contractors, engineers, architects and suppliers. The consequences are far-reaching: financial loss, project disruption, safety risks and reputational damage.

The message is clear: Construction firms must treat cyber security as seriously as physical site safety, quality control and project governance.

The most resilient organisations will be those that:

• recognise cyber risk as a genuine operational threat
• assess their vulnerabilities early
• strengthen subcontractor and supply-chain security
• build a culture of cyber awareness
• invest in tailored, layered protection

In a landscape where every project is interconnected, a firms cyber security controls are only as strong as its weakest link. Now is the time for construction companies to act before a cyber incident becomes the next major project delay or business interruption.

Can We Help?

We are here to help strengthen cyber resilience. Our cyber risk management capabilities include designing and developing a cyber risk management framework and a wide range of response plans to enhance your cyber resilience capabilities. Our cyber risk management services include:

• Vulnerability scanning
• Cyber Security Gap Analysis against Essential Eight and ISO 27001
• Regulation compliance advice
• Cyber Risk Governance Framework Reviews
• Cyber Risk Governance Framework Development
• Third-Party Vendor Review and Cyber Risk Analysis
• Cyber Risk Awareness Training and Internal Campaigns
• Post-Cyber Incident Review
• Email Phishing Campaigns
• Cyber Incident Response
• Crisis Team Familiarisation Training
• Artificial Intelligence (AI) Risk Governance

Be more resilient to a wide range of cyber risks and get relevant insight into how to protect your systems by contacting us to discuss how we can help strengthen your cyber resilience framework.

The new Topical Requirements, set to be effective September 15^th 2026, will raise the bar and provide a number of benefits including:

• Defining a consistent baseline for evaluating third party risk across all industries.
• Increase confidence in assurance and auditing for leadership and key stakeholders with respect to third party risk profiles.
• Inherently strengthen the resilience of organisations with respect to third party failures, ethical breaches, cyber incidents and more.

Third Party Challenges Organisations Will Face

Despite the benefits, the introduction of the requirements also brings with it new challenges that will have to be faced uniquely by organisations of different size, complexity and industry. As they say there is more than one way to skin a cat, and it is up to organisations to determine the right way.

1. Increases in documentation and evidence

Auditors will be expected to document evidence of assessment of formally structured frameworks and their supporting procedures. The relationship between these frameworks and how they tie into the organisation’s risk management is an additional requirement that expects a level of maturity that is not commonly in place in typical Australian organisations. Even if these frameworks are in place, a lack of cohesion across the different methodologies means evidence collection will be a slow process. In the AICD 2024-25 NFP Governance & Performance Study, 53% of directors said they spent more time on duties than the prior year, reflecting a rise in compliance and assurance demands typical to director roles.

The quality of evidence also plays a key role. ASA 530 for Attribute Testing requires auditors to document a confidence of 90-95% or higher when ensuring controls are adequate. For key controls, i.e. anything relating to key vendors and processes, any deviation from the requirements must be as low as between 0-5%. This leaves very little room for exceptions and drives the outcome of any review.

2. Governance gaps in oversight

The new requirements mandate clear board oversight to ensure third party relationships are well managed. In reality, most organisations in Australia delegate the ownership and oversight of all third party risk activities to Procurement and/or IT. Being able to prove involvement by leadership will be difficult, and in some cases, require adjustment to the responsibilities of leadership roles.

Consistently, we have observed either a lack of resource to dedicate to third party management or delegation to IT roles such as a Cyber Security Lead. The latter introduces implementation concerns as Cyber Security Lead roles tend to lack the required Risk Management knowledge required to undertake third party management.

3. Consistent Risk Management throughout the Third Party lifecycle

To successfully apply a structured and repeatable method to assessing risk throughout the third party lifecycle, organisations must have a formal enterprise risk management that is clear, functional and communicated to all staff involved in the process. The risk assessment process must consistently address selection, onboarding, monitoring, and offboarding.

Private and unlisted companies such as IT service providers, SMEs, NFPs and Charities have no legal obligation to implement a risk management framework with the only exception being an ad-hoc approach for Work Health and Safety. Many third parties that would be used for IT services, marketing, legal services, etc. have no obligation to do so, increasing the risk of poor or no risk management across third party management. The Vero Insurance SME Insurance Index 2024/2025 reported that ~90% of Australian businesses lack a formal risk management process with 81–82% never or rarely conducting risk analyses when required.

4. Ongoing monitoring just got harder

Ongoing monitoring following onboarding is a process that is often not performed successfully or at all by that vast majority of organisations in Australia. The old habits of “set and forget” contracts are not good enough. Even multi-year contracts that address all requirements over the lifespan of the contract will require performance, compliance and cyber control assessment to ensure expectations are being met. Naturally, this will also lean on the risk management framework to determine if any such failures to meet expectations result in risks that are outside of the organisation’s appetite.

The McGrathNicol/YouGov study from August 2024 concluded that 82% of Australian companies do not extend risk assessments beyond Tier-1 suppliers, and 71% of companies that do assess third parties, do not include security practices in their assessment.

5. Aligning to increasing regulatory pressures

The requirements explicitly reference compliance with local, national, and international regulations. For Australian organisations, that could mean at minimum the Privacy Act. However, certain industries are also affected by the Australian Prudential Regulation Authority (APRA) Prudential Standards CPS 230 Operational Risk Management and CPS 234 Information Security. For larger critical providers, the Security of Critical Infrastructure (SOCI) Act and Modern Slavery are just some additional considerations. Achieving consistency across various different regulations and standards increases complexity.

With the delay of requirements under APRA CPS 230 relating to pre-existing contracts to July 2026 for non-Significant Financial Institutions (SFIs), we can expect a natural increase in pressure as the date approaches. If the activities of APRA CPS 234 from 2019 are also an example of what is to come, we can expect at the very least a thematic review. APRA has already committed to conducting targeted reviews of SFIs as part of their 2025-2026 Corporate Plan.

6. Strain on smaller organisations and public entities

Large corporations and enterprises will easily absorb these changes, especially multinationals, as these requirements are not new. For Local Government councils, NFPs, small businesses and providers, these new requirements will demand a new focus on audit and compliance. This new focus will come two-fold as it not only requires additional investment and resource, it could also expose gaps that previously avoided the spotlight.

7. Cultural resistance and a lack of Third Party strategy

As with any uplift of requirements and increased complexity, cultural resistance is an expected reality. Australian organisations will fail unless they can overcome the outdated concept that third party management is a procurement-only task. Overcoming this requires the understanding that third party management is not only operational but also strategic. Our dependency on third parties can be improved by better managing the entire process, resulting in cost savings, efficiencies, lower insurance premiums, greater coverage, new client opportunities and much more.

In May 2024, the Australian Privacy Commissioner highlighted third-party providers as a “weak spot” in privacy and security postures of organisations, reinforcing the need for enterprise-level third party management strategy beyond only procurement or IT.

Why These Challenges Matter

Ultimately, these challenges are worth facing. The requirements encourage stronger governance, better risk management discipline, and greater transparency across leadership into third party relationships. For Australian organisations, this means better preparedness for cyber incidents, supply chain disruptions, reputational crises, and regulatory scrutiny.

Third parties are already the bread and butter of many critical functions within Australian organisations. We cannot expect adequate operations, security and assurance without expecting a level of quality that matches that of our own internal processes.

Where To Start with Third Party Management

In Part 2 of our Third Party Management publication we will go over some key steps to consider and to help you succeed in third party management.

How We Can Help You Build Organisational Resilience

We are here to help strengthen your organisational resilience, systems and processes. Our third party risk management capabilities include:

• In-house developed comprehensives vulnerability scanning of third parties.
• Comprehensive third party risk management assessments to provide independent assurance.
• Helping organisations take their first steps towards implementing a formal and proactive third party management framework.
• Performing an independent review or health check of your existing third party management framework to identify gaps and level of maturity.
• Conducting third party risk and cyber risk awareness workshops covering strategic, operational and project risks.
• Conducting third party penetration tests and comprehensive audits.
• Supporting you across a range of third party services including governance, business continuity, crisis management, cyber risk, third party monitoring and more.

Take risk management to the next level and contact us to discuss your needs.

In this article, our Risk and Resilience team explore:

• Common implementation challenges, including vendor assessments, contract reviews, and data limitations
• What insurers should be doing now to close gaps and embed good practice
• The uplift needed in business continuity and resilience planning under the new metrics (MTPD, RPO, MSL)
• The difference between BCP and Operational Risk scenario analysis
• The importance of strong incident management, training, and documentation

Who Does CPS 230 Apply To?

CPS 230 applies to all APRA-regulated entities, which includes:

• Banks and ADIs (Authorised Deposit-taking Institutions)
• Life, general, and private health insurers
• Reinsurers
• RSE licensees (superannuation trustees)

Importantly, CPS 230 also applies to intra-group service arrangements. Even where services are provided internally within a corporate group, entities must ensure that such arrangements are subject to the same level of governance, due diligence, monitoring, and exit planning as third-party providers.

This marks a notable shift, particularly for insurers who have historically relied heavily on group shared services or head office functions.

CPS 230 is a Catalyst for Building Resilience

While some feel that the focus of CPS 230 may be compliance, its intent is clear: to build genuine operational resilience across the financial services industry. For insurers, this is an opportunity to:

• Improve visibility and control over third-party dependencies
• Build capabilities in identifying and managing non-financial risks
• Strengthen the ability to withstand and recover from disruptions
• Align operational processes with risk appetite and strategic priorities

Insurers that take a proactive, integrated, and business-led approach to implementation will not only meet APRA’s requirements, but also enhance long-term resilience and stakeholder confidence.

CPS 230 Challenges Experienced in Implementation

Despite widespread awareness, many insurers are encountering similar roadblocks as they prepare for CPS 230. Some of the most common challenges include:

1. Identifying Material Service Providers

Identifying material service providers is proving difficult for many insurers. Applying consistent materiality criteria across business areas is challenging, particularly when vendor data is fragmented across multiple systems. In some cases, insurers are struggling to justify why certain providers have not been deemed material, exposing them to regulatory scrutiny.

2. Contract Reviews and Negotiations

Contract reviews and negotiations have emerged as another pressure point. Many legacy agreements lack critical provisions such as audit rights, sub-outsourcing controls, and exit terms that support resilience. Renegotiating contracts is often slow and complex—smaller or offshore vendors may resist changes, while in-house legal and procurement teams are stretched thin trying to manage the volume. These challenges are compounded by the heightened expectations around due diligence and ongoing monitoring, which are now more intrusive and resource-intensive than ever before.

3. Siloed Risk and Continuity Practices

A long-standing issue in many insurers is the siloed nature of operational risk, business continuity, and vendor management. These areas have historically operated independently, with limited cross-functional coordination. CPS 230 demands integration across these domains—an organisational and cultural shift that is both significant and resource-intensive. Further complicating matters, insurers are finding that critical operations do not always align neatly with existing business units or reporting lines, requiring rethinking of roles and responsibilities.

4. Underdeveloped Scenario Analysis

Scenario analysis is another area where insurers are still finding their footing. Many have limited experience in designing and executing operational risk scenarios, particularly ones that are both severe and plausible. Some struggle to engage the business meaningfully in defining these scenarios, while others lack the data and methodologies to assess financial and operational impacts with confidence.

5. Board and Executive Readiness

Board and executive readiness is variable. While some organisations have invested in targeted education, others are still bringing their Boards up to speed. There is a risk that senior leaders perceive CPS 230 as a compliance exercise, rather than a driver of resilience and strategic capability. Bridging this perception gap is essential to unlocking the full value of the standard.

6. System and Data Constraints

Technical and data limitations also persist. Many insurers continue to rely on legacy systems that do not support an integrated view of operational risk or enable effective ongoing monitoring. Risk registers are often inconsistent or incomplete, and insights may be limited due to a lack of automation, data visualisation, or access to timely information. These constraints hinder the ability to track emerging issues and manage risks proactively. In some cases, the design of the risk register itself is a limiting factor—too high-level to be useful, failing to capture critical details such as root causes, risk events, and consequences. The absence of robust quality control further undermines the reliability and value of these tools in decision-making and assurance.

7. Change Fatigue and Competing Priorities

Finally, the broader regulatory landscape is creating significant resourcing and sequencing challenges. CPS 230 is just one of several major reforms impacting the insurance sector. Insurers are also contending with the Financial Accountability Regime (FAR), CPS 511 on remuneration, and evolving expectations around climate and cyber risk management. While CPS 190 (Recovery Planning) has been in place for some time, CPS 900 (Exit Planning) currently applies only to larger, more complex institutions—yet its principles still influence industry expectations. Juggling these overlapping requirements with finite resources is proving difficult for many insurers. The result is mounting change fatigue, blurred priorities, and transformation programs that risk becoming reactive and fragmented rather than strategic and integrated.

What Insurers Should Be Doing Now

By April 2025, insurers should be approaching the final stretch of their CPS 230 implementation journey. This phase should focus on closing identified gaps, embedding new risk management practices into business-as-usual, and stress-testing systems and processes through robust scenario analysis.

1. Hurry up and Finalise the CPS 230 Gap Analysis

An essential starting point is finalising a detailed and well-evidenced gap analysis. Insurers should have already reviewed their existing operational risk frameworks and supporting documentation against the new CPS 230 requirements. This exercise must go beyond simply identifying missing processes—it should also assess whether existing practices are effective, integrated, and appropriately scaled to the organisation’s operational risk profile. A common shortfall is the disconnect between documented operational risk tolerances and the broader risk appetite framework. In some cases, tolerances exist but are not clearly linked to strategic objectives or appetite statements approved by the Board, undermining their usefulness in decision-making.

Additionally, many insurers are still maturing their understanding and articulation of disruption-related thresholds, such as Maximum Tolerable Period of Disruption (MTPD), Recovery Point Objectives (RPO), and Minimum Service Levels (MSL). These parameters are often treated as technical recovery targets rather than key inputs into business continuity planning and resilience assessment. CPS 230 requires insurers to bridge these conceptual and practical gaps to ensure that operational risk tolerances, resilience metrics, and risk appetite are aligned and meaningful in guiding business operations and continuity planning.

2. Executing the CPS 230 Implementation Plan

With gaps identified, a carefully structured and well-governed implementation plan is essential. This roadmap should set out clear priorities, responsibilities, deliverables, and milestones. Crucially, Board and executive buy-in is not optional. Active sponsorship from senior leadership, including regular progress reviews and resourcing decisions, is necessary to ensure momentum is sustained and the program does not become a compliance tick-box exercise.

3. Enhancing the Operational Risk Framework

The operational risk framework itself must evolve into a dynamic, forward-looking system. Insurers should be refreshing their risk definitions, control libraries, and taxonomies to reflect the operational risk profile unique to their business. The framework must clearly articulate who is responsible for identifying, assessing, monitoring, and mitigating operational risks. It should support strategic and operational decision-making, rather than sit in isolation.

4. Material Service Provider Register and Oversight

A core requirement under CPS 230 is the creation and ongoing maintenance of a register of material service providers, but this is just one element of a much broader uplift in third-party risk management. Identifying material providers is not simply a procurement or data exercise—it requires sound judgement, clear and consistently applied criteria, robust documentation of materiality decisions, and the ability to justify these determinations to APRA. Both external and intra-group providers may be material where their failure could significantly impact critical operations. However, beyond the register itself, insurers must also develop or strengthen Business Rules that articulate the minimum standards expected of service providers. These rules should serve as the foundation for legally binding contractual agreements, ensuring alignment with CPS 230 expectations around resilience, audit rights, performance management, data access, sub-outsourcing, and termination provisions.

Additionally, a comprehensive Service Provider Monitoring Framework must be in place to ensure ongoing oversight throughout the lifecycle of each relationship. This includes setting key performance and resilience metrics, monitoring adherence, conducting periodic reviews, and ensuring timely remediation of deficiencies. Together, the register, business rules, contracts, and monitoring arrangements form a cohesive control environment that demonstrates to APRA that third-party risks are being actively managed and governed.

5. Strengthening Business Continuity and Resilience Planning

Business continuity and resilience planning also require significant uplift under the new standard. Insurers must ensure that continuity plans are not only comprehensive and up-to-date but also tested against realistic and severe disruption scenarios. These plans should cover critical operations, supporting systems, data, people, facilities, and third-party dependencies.

CPS 230 introduces a more granular approach to continuity metrics, shifting away from the traditional Recovery Time Objective (RTO) and instead requiring entities to define the Maximum Tolerable Period of Disruption (MTPD or MAO), Recovery Point Objective (RPO), and Minimum Service Levels (MSL) for each critical operation. These parameters must be justified, achievable, and aligned with the insurer’s operational risk appetite and capabilities. Importantly, business continuity plans should not be owned solely by risk teams—they must be embedded in business operations, with clear accountability and awareness across the first line. This cultural shift is critical to ensuring resilience is operationalised and not just documented.

6. Increasing Board and Executive Engagement

Governance plays a pivotal role in the successful implementation of CPS 230. Boards and senior executives are not only expected to be informed and engaged, but also personally accountable for how operational risk is managed within their areas of responsibility. Under the Financial Accountability Regime (FAR), individuals in accountable roles must act with due skill, care, and diligence—and failure to do so may result in personal liability, including civil penalties of up to $1.53 million. As a result, effective oversight is not optional.

Boards must receive regular, high-quality updates on CPS 230 implementation and interrogate whether the organisation’s operational risk exposures are being managed within the established risk appetite. Where needed, targeted upskilling at both Board and executive levels should be undertaken to ensure the necessary capability exists to discharge these responsibilities.

In practical terms, accountable persons under FAR are expected to ensure that operational risks within their domain are identified, assessed, and mitigated; that material control weaknesses and incidents are reported and remediated promptly; and that risks related to service providers and potential disruptions are appropriately managed. This includes maintaining the operational risk management framework and strategy, reviewing and challenging the strength of control environments, facilitating the business continuity management program, and evaluating the operational risk profile against the Board’s stated appetite. Active governance—backed by clear accountability—is central to embedding CPS 230 in a meaningful and sustainable way.

7. Improving Incident Management and Logging

Incident management processes also require strengthening. Beyond logging and resolving issues, organisations must develop a learning mindset. This means analysing root causes, assessing control failures, identifying trends, and sharing insights across the business. Escalation thresholds and communication protocols should be refined to promote timely and appropriate response.

8. Conducting Scenario Analysis

Scenario analysis is another area where many insurers are still developing maturity. Under CPS 230, APRA expects insurers to assess the impact of plausible but severe disruptions on their operations—yet many organisations still treat this as a compliance formality rather than a strategic exercise. It’s important to distinguish between business continuity planning (BCP) scenarios and operational risk (OpRisk) scenarios.

BCP scenarios typically focus on testing the organisation’s ability to respond to and recover from specific disruption events—such as a data centre outage, cyberattack, or critical third-party failure. These exercises tend to be operationally driven and centred on continuity procedures, decision-making processes, and coordination under stress.

In contrast, OpRisk scenario analysis is a forward-looking risk management technique used to identify and quantify the financial and operational impact of extreme but plausible operational risk events. These scenarios are broader in scope, involve cross-functional input, and are often used to support capital assessments and risk appetite calibration.

CPS 230 challenges insurers to bridge the gap between these approaches—ensuring that both types of scenarios are aligned, relevant to the actual business model, and meaningfully integrated into resilience planning. Insurers should be able to demonstrate how scenario outcomes influence control improvements, response strategies, and operational risk capital decisions, rather than treating them as parallel, siloed activities.

9. Training and Awareness

Training and awareness efforts should now shift from general updates to targeted, role-specific education. Operational leaders, risk owners, and vendor managers must understand their obligations under CPS 230 and how these translate into their day-to-day responsibilities. Building a culture of operational resilience will only be possible if staff at all levels understand and own their part in the process.

10. Documenting Everything

Finally, documentation is key. APRA expects a comprehensive and auditable record of all frameworks, policies, registers, assessments, and decision-making processes. Insurers should not only be preparing to evidence compliance in July 2025, but also to demonstrate a process of continuous improvement over time.

Final Thoughts

CPS 230 is not just another compliance standard—it’s a framework for safeguarding trust, reputation, and stability in an increasingly complex risk landscape.

As the July 2025 deadline approaches, insurers must act decisively. A last-minute, compliance-only approach will not be sufficient to meet APRA’s expectations or to build the resilience that CPS 230 is designed to foster. The most effective implementation efforts are those that are embedded, Board-supported, and strategically aligned.

Can We Help?

Working with over 40 APRA regulated entities, the InConsult team has a deep understanding of financial services and the APRA prudential standards.  Since the implementation of the revised APRA Prudential Framework in 2001, we have helped our APRA-regulated clients navigate through the myriad of regulatory compliance requirements. We can assist in the review, redesign and uplift of internal policies, procedures, frameworks and training initiatives.

If you have any questions, or would like to know how we can help, contact us to discuss your needs.

What is CPS 234?

CPS 234 is a mandatory information security legal requirement that took effect on July 1, 2019. It requires APRA-regulated financial institutions to strengthen their information security framework in order to protect themselves and their customers from the growing threat of cyber attacks. In addition, when a data breach or other security incident is discovered, businesses must respond in a timely manner and notify APRA.

Why is cybersecurity so important to APRA?

1. Financial institutions are some of the most attractive targets for threat actors due to the potential size of financial rewards and value of the personally identifiable information (PII) and protected health information (PHI) on the dark web.
2. During the 2020-21 financial year, the Australian Cyber Security Centre (ACSC) received 13 per cent more cybercrime reports than in the previous year.
3. Financial institutions are increasingly using third parties to support their critical business activities. According to a survey from the Ponemon Institute, 66% of companies surveyed had no idea how many third-party relationships they had or how they were managed, even though 61% of the surveyed companies reported having a breach attributable to a third party. Most of the breaches occurred because third parties had been given too much privileged access to data and systems.
4. APRA’s initial pilot of CPS 234 tripartite assessment that involved a small sample of banking, insurance and superannuation entities highlighted some concerns and the need for boards to play a more active role in:

• • Reviewing and challenging information reported by management on cyber resilience
  • Ensuring their entities can recover from high-impact cyber-attacks (e.g. ransomware)
  • Ensuring information security controls are effective across the supply chain

Clearly, APRA has grounds for concern and the mandating of broader tripartite reviews indicate that it has no appetite to deal with a major data breach or any other cyber security type incident.

What is the CPS 234 Tripartite Review?

APRA’s power to require financial institutions to undertake a tripartite review comes from Prudential Standard GPS 310 , Audit and Related Matters.

A tripartite review is an assessment that involves three parties. In this case, the three parties include APRA, the entity being reviewed, and an assurance practitioner (an independent reviewer). The assurance practitioner can be selected by the entity but must be approved by APRA prior to commencing the review. The firm selected to perform the tripartite review should have appropriate skills, capabilities, and experience in conducting ASAE 3150 Assurance engagements and appropriate independence to conduct the CPS 234 assessment.

The tripartite independent cyber security assessments are one part of APRA’s broader Cyber Security Strategy for 2020 to 2024 which aim to help improve the Australian financial system’s resilience against the ever-growing cyber threat.

For APRA-regulated entities with robust cyber security governance, documentation and practices, the CPS 234 tripartite review should be a relatively straight forward process. The entity will need to provide hundreds of important documents for the auditor to review to validate practices against the requirements of CPS 234 and report back to both APRA and the entity. The tripartite review will cover several elements:

• Roles & Responsibilities
• Information Security Capability
• Policy Framework
• Information Asset Identification & Classification
• Implementation of Controls
• Testing Control Effectiveness
• Incident Management
• Internal Audit
• APRA Notification

The Likely Challenges

The size and complexity of the financial institution is little indication of how much work is involved in co-ordinating or performing the tripartite review. All tripartite reviews must be performed to ASAE 3150 requirements, assessed against a comprehensive APRA provided assessment criteria/ CPS 234 checklist and the assurance report format must be in a “long-form” report that includes:

• An executive summary
• Details of the tests performed of each control objective
• Key strengths and good practices
• Exceptions & weaknesses identified and a risk rating in line with the entities risk criteria
• Recommendations
• Management response, agreed actions and timeframes

From our experience, larger institutions will have a significant amount of documentation to provide but smaller institutions (Australian local branches) will require the same level of validation from the overseas parent.

Having conducted CPS 234 reviews, remediated cyber security gaps and aided APRA-regulated entities to prepare for tripartite reviews, we have noticed some trends in the challenges faced by organisations in various industries. If you have received or expect to receive an engagement letter from APRA, consider these 7 challenges to gear up for a positive outcome:

1. Documented Processes

While many organisations have an Information or Cyber Security Framework in place, the documentation of processes is a common gap. A policy is supported by a standard and a standard is supported by a procedure… or at least it should be.

Typically, the response procedures are not well documented. Common shortfalls are – How to restore a backup, how to rebuild a server, how to transfer to a failover data centre, how to report fraud, how to escalate and properly report to APRA… the list is extensive.

The auditor will be looking for ‘hard’ evidence. Soft controls are good, but documented controls such as plans, test results and status reports are better.

2. Information Asset Identification and Classification

Information asset identification and classification was a first for many APRA-regulated entities once CPS 234 was introduced.

Traditionally, asset registers were kept by the IT department to manage physical assets in an environment where everything was hosted onsite locally. Under CPS 234, information assets are not just physical and require more than just identification and classification. To even classify an information asset, we need to understand what the definition of materiality is. Even then, there are multiple definitions of materiality in a single organisation depending on the context.

Clearly define materiality from an Information Technology perspective and build an Information Asset framework around that. As a starting point, ensure all assets are covered and include a description of the asset, the asset owner, the asset host, criticality of the data, sensitivity of the data, lifecycle of the asset and a risk rating aligned with the Risk Management Framework.

3. Processes based on Information Asset

We commonly see IT infrastructure that is built upon the knowledge and experience of senior IT architects. No complaint here, many are well designed and function beautifully, but there is no evident risk assessment in configurations. Criticality and sensitivity of assets should be used as a guide to configure traffic policies, interface setups, user access management and group policies.

The reasoning behind this is that the risk assessment of an information asset can be linked back to the risk consequences table of the organisation, making the risk quantifiable or measurable. This helps to not only respond to incidents but also better manage risk-taking. Organisations need to take some level of risk to grow. As a basic example, if all data was treated as overly sensitive, there would be hesitance to outsource hosting to a vendor to expand operations to a secondary office.

4. Third Party Information Security Capability

A term used commonly by APRA is “Information Security capability”. This term not only refers to the entity being reviewed, it also includes all vendors or third parties that are material or critical to the operation of the organisation. While third party assessment has been a hot topic in Australia in the last 12 months, the level of detail we are seeing in assessments is not sufficient. Performing the typical annual assessment and adding on “have you got a Business Continuity Plan (BCP)  or Cyber Incident Response Plan” is simply not enough. This does not paint the picture of the capability of the vendor and does not provide adequate assurance of continuity.

Additionally, there needs to be detailed and documented contingency plans for each vendor should their recovery processes fail. Vendors or third parties should be assessed to the same standard as your own organisation for you are only as strong as your weakest link. Outsourcing assets does not outsource responsibility or risk.

5. Evolving Position Descriptions

With the hybrid workforce being the new normal, flexibility is not only evident in working environments. The position description of a role is leaning more towards dynamic responsibilities and many Chief Information Officers (CIOs) we have spoken to agree. The issue with dynamic roles is occasionally they are not reflected in a formal document or the official position description of the individual.

As an example, we have seen cryptography custodians assigned responsibility without it being officially documented. One of the greatest risks to comprehensive cryptographic frameworks is the malintent or abuse of a privileged custodian. Critical responsibilities should be documented to allow the governance of appropriate vetting and ensuring individuals are appropriately assigned the responsibility. If documenting these responsibilities to a specific role is too difficult or time consuming, consider documenting them at a team level.

6. Frequency and Scope of Testing

Annual testing of all critical systems can be an arduous task and the unfortunate lack of certified Information Technology (IT) resource currently hitting the industry does not help. Whether it is a budget or resource issue, we are seeing infrequent testing and/or the exclusion of all critical systems in annual testing. Tests should not only include exercises and tabletop drills, they should also include the recovery testing of backups and failover solutions.

There is also nothing wrong with planning a full scope test of critical systems as part of a multi-year program due to resource limitations, as long as it is clearly documented. Multi-year roadmaps show a commitment to better practice and can be altered as higher risk or higher priority assets are acquired or created.

7. Evidence Methodology

IT teams understand the need for testing and evidence is well documented in the form of screenshots, results and reports for escalation to the leadership team. What is lacking in the evidence we see is the methodology that the testing is based on. Why was this system selected, what is the likelihood and consequence of an outage of such system, why was it tested in this manner and what were staff hoping to achieve? Be sure to include a test rationale, processes executed, review of results, or evidence of review of the testing program due to such results.

Continual improvement also seems to be a low priority. Testing and gathering forensic evidence should not be a tick-box activity, it should aim to improve systems, procedures and the testing program itself. Should you ever be faced with a real-world incident, you will be thankful for it.

Cost vs Benefit of CPS 234 Review

The CPS 234 Information Security Tripartite Review has a number of limitations.

Firstly, whilst the review is mandated by APRA, the cost is borne by the entity. With a shortage of cyber risk experts, coupled with the ‘great resignation’ phenomenon and the level of detail required by APRA, it is not going to be cheap. To help reduce costs, we are suggesting:

• clients first perform a self assessment
• allow some time to remediate ‘quick win’ shortfalls
• performing a series of workshops to gather information from multiple sources
• considering the comprehensive list of documents required during a review

Also, many elements of the review are only good at a point in time. Within 6 months after the tripartite review, the cyber risk environment will change.

Review Benefits

The CPS 234 Information Security Tripartite Review is a great initiative that we strongly believe will improve the maturity of financial services in Australia. APRA has based the review on three focal areas, hoping to achieve:

• The establishment of a baseline of cyber controls
• Enabling boards and executives of financial institutions to oversee and direct correction of cyber exposures
• Rectify weak links within the broader financial eco-system and supply chain

By aiming to improve an entire industry by acknowledging it is a shared effort, APRA is hoping to minimise the cascading effects of a cyber incident on an entire system or industry. By including all APRA-regulated entities in the scope, there is no way around it and the end-result should positively impact the financial sector in Australia.

Can We Help?

The InConsult team has a deep understanding of insurance and the APRA prudential standards including CPS 234 and the requirements of the tripartite review. Since the implementation of the revised APRA Prudential Framework in 2001, we have helped APRA-regulated clients navigate through the myriad of regulatory compliance requirements. Our cyber security experience includes:

• Independent CPS 234 reviews
• Preparing for CPS 234 tripartite reviews
• Remediating gaps in all elements of cyber security, including third parties
• Comprehensive independent reviews of the ICAAP, risk management and reinsurance framework

If you have been approached by APRA to take part in a tripartite review or are anticipating a review, contact us to discuss your needs.

This is now the largest Australian Government data breach on record.

For those unfamiliar with Frontier Software, they are the providers of the Chris21 platform used by many government bodies across Australia.  Frontier Software is a ‘vendor’ to the SA Gov and the other government bodies.

This data breach reinforces the fact that no matter how strong an organisation’s cyber security practices, never neglect the cyber security posture of your vendors, third parties and suppliers who hold sensitive information.

The data breach incident

Frontier Software first reported experiencing a cyber incident on the 16^th of November 2021 with specifics of the incident limited to system users. The data breach resulting from the incident was first discovered on the 8^th of December 2021 and quickly confirmed by the South Australian Government on 9^th December 2021.

The SA Gov were quick to act and transparent in disclosing what type of data was breached. The payroll data leaked included all sensitive information that is typical of employment enrolment such as names, residential addresses, dates of birth and even the more critical tax file numbers and banking details.

While the response by SA Gov to monitor affected individuals was quick and may prove effective, the data is still out there and often breaches are held for years before actually being exploited. The individuals affected may see unusual activity long after the increased monitoring has worn off.

Aside from the reactive approach, what proactive measures were missing that could have prevented this breach from ever occurring?

Our analysis – What we found

Using a combination of our vendor assessment tools looking at billions of datapoints, we were able to determine the weak point in Frontier Software’s security and provide a grading.

Email security was the red flag, scoring a mere 206 out of 950, resulting in a D rating. The rating was based on two critical outstanding risks, being no email SPF policy and no email DMARC policy.

These two policies are both free and simple to setup. Having neither of these meant anyone with an internet connection could easily send a fake email using real Frontier Software email addresses in a matter of minutes. A simple task that anyone with basic google knowledge could undertake thanks to some cheeky online tools that are available to the public.

There is a high probability that the lack of basic email security is the source of the ransomware attack experienced by Frontier Software. Statistically, email phishing is the most common form of attack in Australia and the lack of security would have allowed a threat actor to easily emulate a genuine internal email between staff.

Security in other areas such as network, website and malware security were on par with the industry average for third party software vendors, scoring an average of a low B rating. This in itself could be another red flag for the inadequate state of the industry average relating to cyber security. In an industry focused on providing software as a core product, cyber security should be one of the greatest strengths.

In the last week we have seen Frontier Software’s security scoring slowly increase to break through the industry average overall. Perhaps a response to the ransomware attack, though unfortunately too little too late. Organisations should be addressing these issues prior to a data breach and having independent assessments performed regularly to test and validate their controls.

How we find potential data breach vulnerabilities

A risk assessment much like the one we performed on Frontier Software requires a combination of tools that check external public facing security controls. This is the same place that a threat actor would start and often using similar tools to search for the weak points. Once we identify them, these weak points are categorised into different types of security and given a severity rating based on their potential impact.

By identifying these weak points and providing remediation advice, organisations can set a clear path and prioritise the changes required to ensure higher impact threats are mitigated before they occur.

What could they have done to prevent the data breach?

It is easy to point the finger and blame the software provider for having poor controls that resulted in a data breach. In actuality, it is both sides of the fence that are responsible for the lack of controls.

The poor state of Frontier Software’s email security not only highlights that independent cyber posture assessments weren’t performed, but it also means Frontier Software’s clients and vendors do not have strict enough due diligence processes that are catered to the vendor. A software provider should be assessed for specific technical controls such as email security policies before they are onboarded.

Organisations should be monitoring and assessing their own and their vendors’ cyber postures at least annually. With the rapidly evolving cyber threat landscape, choosing to assume a secure environment or vendor can have drastic effects in a mere matter of months.

If Frontier Software had penetration testing or cyber posture assessments performed annually, these weak points would have been discovered upon initial assessment and could be rectified within a matter of days.

Similarly, if a client utilising their payroll suite had independent vendor assessments performed annually, these issues would have been identified and a roadmap put in place to rectify them before it is too late.

Email security is best addressed through the implementation of three security policies. SPF, DKIM and DMARC policies cost all of zero dollars to implement and could be completed within a single day (especially SPF and DKIM). Many email service providers such as Microsoft have built-in tools that simplify the process and even generate policies for you.

Australia is falling behind the rest of the world

With such simple setup and zero cost that could easily prevent a successful cyber attack, we really are just one click away from poor cyber security.

Globally, the three email security policies mentioned above are widely adopted. Trends suggest as much as 80% of organisations have email security policies enforced preventing email fraud and what is also known as email spoofing.

Unfortunately, in Australia the trends are just as high but in the opposite direction.

• InConsult research into email security practices in one single NSW government sector in 2021 concluded that over 90% of 128 organisations analysed had no or poorly configured email security policies allowing a threat actor to easily deliver successful email phishing attacks.
• The NSW Audit Office reported in October 2021 that  government agencies have made “insufficient progress to improve cyber security safeguards” since the introduction of the government’s cyber security policy, and “the poor levels of cyber security maturity are a significant concern.”

With the vast majority in that industry also reporting at least one successful phishing attack in 2020-2021, it’s difficult to ignore the link between the poor email security and data breaches.

Don’t forget your vendors! Independent cyber posture assessments are crucial in not only identifying flaws but ensuring they can be prioritised for remediation. There is good reason that the most commonly used cyber security frameworks have a heavy focus on independent cyber posture assessments and independent vendor assessments.

How we help strengthen vendor risk management

Organisations understand the risks of doing business with third-party vendors, but they often lack the resources or expertise to implement and maintain effective vendor risk mitigation strategies — which could turn out to be costly.  We have the expertise to help you gain insights into your vendors’ risks and recommend remediation strategies.

Our experienced cyber risk team use industry leading technology to monitor millions of companies, scan billions of data points and send targeted cyber security questionnaires to answer the question – How Risky or Secure Are My Vendors?

Our Vendor Domain Scan and Cyber Security Questionnaires delivers 6 benefits to you:

1. Know your vendors’ cyber security posture: Our analysis will provide insight into vendors’ cyber security posture and include an overall security rating.
2. Pinpoint the gaps and vulnerabilities: We help expose the vulnerabilities that may be exploitable on vendors’ websites and their cyber security practices.
3. Compare vendors across the ecosystem: Our executive reports identify which vendors pose the highest risk across your entire vendor ecosystem.
4. Security questionnaires: Targeted cyber security questionnaires with workflows allow deeper insights into a vendors’ security practices.
5. Targeted reporting: We group risks into website risks, email security, network security, phishing & malware, reputation and brand protection.
6. Start a conversation: You can work closer with your vendors to communicate, discuss and remediate any gaps or just stop using higher-risk vendors.

Take the next steps

Don’t play the waiting game. The SA Gov data breach is a timely reminder that you should not neglect the cyber security posture of your vendors and how your organisation manages vendor risks.

Now is the time to move beyond cyber security to cyber resilience. InConsult is committed to helping organisations manage cyber risks and opportunities. We have extensive experience in vendor risk management, cyber risk management, vendor audit and assurance, crisis management and business continuity.

If you would like support in becoming a more cyber resilient organisation, contact us to discuss your needs.

What does cyber resilience really mean? How is it different to cyber security? What are the essential elements of cyber resilience?  At InConsult, we help build more resilient organisations. So in this publication, we take a deep dive into the topic of cyber resilience.

What is cyber resilience?

The US National Institute for Standards in Technology (NIST) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources.”

At its core, cyber resilience is the ability to anticipate, prepare for, respond to and recover from cyber attacks or disruptions impacting information technology. It acknowledges that cyber security on its own is not enough. Cyber resilience is built on the premise that disruptions, attacks and incidents are bound to occur and availability should continue even when affected by adverse cyber events. So, while it would be great to prevent them, organisations should take time to plan how they will detect, respond and successfully recover.

Cyber security is a sub-set of cyber resilience that focusses on preventing cyber attacks and incidents. It consists of technologies, processes and measures that are designed to protect systems, networks and data from cyber attacks. It’s proactive and aims to significantly reduce the likelihood and impact of bad things from ever happening in the first place.

Hackers are always looking for the vulnerabilities or weak points to opportunistically pursue.  These weaknesses are not always ineffective cyber security, they can be weaknesses in human psychology or simple human errors.  In fact, according to Gartner, system misconfigurations accounted for over 75% of breaches.  In another study, 40% of breaches occurred due to human error. So it is reasonable to assume that misconfigurations, human errors and disruptions will occur and hackers will eventually gain access to your network, systems and data, and therefore you should always prepare for the worst.

Accepting that a cyber attack will occur does not mean you are giving in to hackers. It does not mean you should be complacent about your cyber security.  It simply means you are prepared and ready.

What are the benefits of cyber resilience?

As a result of developing a robust cyber resilience framework, organisations will have in place layers and layers of internal controls, across all information systems, at different levels in an organisation and at different stages of preparedness.  Done well, an effective cyber resilience framework delivers many benefits:

• Improves overall cyber risk governance and culture
• Proactively anticipates the types of cyber risks
• Strengthens internal systems, plans and processes to prevent, detect and recover from a cyber attack
• Enhances existing controls through continual review and improvement
• Enhances compliance to regulatory requirements
• Reduces financial costs and productivity losses
• Protects the organisation’s brand and reputation

What are the key elements of cyber resilience?

After an in-depth, literary review of several cyber resilience frameworks and from our own experience working with a range of clients, we have proposed a cyber resilience framework containing 6 essential elements.

No framework will ever be perfect or be suitable to every organisation.  However, our cyber resilience framework has a number of subtle differences from the current frameworks we observed such as:

• Governance is the first step and forms the foundations of cyber resilience.  Governance exists across all elements of the framework.
• We separate resilience into 2 states – (1) pre incident state and (2) post incident state.
• We include ‘refine’ as a centrepiece of the framework to ensure continuous improvement is considered before and after an incident.

1. Governance

Achieving cyber resilience is unlikely to happen unless there is a formal and proactive governance framework in place that outlines the organisations intent, commitment, practices, plans and responsibilities for achieving cyber resilience.  The level of governance will vary depending on the size, complexity and nature of each organisation.

The cyber resilience framework can be stand alone or be part of a broader resilience framework.  Whatever you choose, it should be aligned to the overall governance and risk management framework of the organisation.  This means documented strategies, principles, policies, rules and procedures are in line with the overall governance framework as well as the organisations IT Strategy.

The board

Cyber resilience must be a primary focus of the board (or governing body) and senior management. They must provide leadership and commitment to help define the organisations culture.  It is not something that can be left solely to the Chief Information Officer, security team or incident response team.

Boards should take ownership of cyber resilience oversight and ensure key policies and written directions are reviewed on a periodic basis. The board should also support and participate in key cyber risk management decisions, and receive regular updates on security issues, risks and overall compliance.

Accountability

Roles and responsibilities within the framework should be well defined. At minimum, roles and responsibilities should be defined across the three lines e.g. the board and committees, senior management, risk management and internal and external audit.

It is important to also identify the key stakeholders within the cyber resilience framework to ensure their needs are addressed. Stakeholders will be internal and external – including vendors, security analysts and threat intelligence agencies.

Continual improvement

A process for monitoring, reviewing, exercising and continually improving the resilience framework should also be in place.  This can include well-known improvement practices such as PDCA (Plan-Do-Check-Act) or ITIL’s Continual Service Improvement.

2. Identify

Once the base line governance structures are in place, the next step is to anticipate and recognise the range of possible cyber risks, their causes and consequences.  This step is about better understanding your organisation’s environment and cyber risk posture.

Risk assessment

A formal cyber risk assessment is used to identify, analyse, evaluate, and prioritize risk arising from the operation and use of information systems and network, including key vendors across the supply chain.  The risk assessment should:

• Consider the information assets and owners.
• Consider the value of information.  If boards and senior management understand the value of their data to those with malicious intent, if they know where that data is, how it is protected, and who has access to it (including external sub-contractors), then they are in a stronger position to implement a cyber resilient business model.
• Identify and prioritise information assets e.g. hardware, software, data and processes.
• Identify the compliance obligations across the legal jurisdictions you operate in.
• Identify cyber risks and sources e.g. unauthorised access, service disruption, human error.
• Identify and evaluate the many layers of controls that currently exist and the effectiveness of their assurance.
• Determine the level of risk that remains after the controls are considered.
• Prioritise risks and develop additional risk treatments as required.

Risk identification

There are many ways to identify cyber risks.  Typically, organisations use several methods including:

• Brainstorming
• Focus groups
• Experience and knowledge
• Scenario analysis
• Incident analysis
• Data analytics
• Penetration test results
• External security experts
• Industry experts

The risk assessment process should follow good practice standards such as ISO 31000 Risk management – Guidelines or The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides which address how companies can use ERM Frameworks to assess cyber risks.

Identification of the risks is not a one off activity. Since hackers are continually finding new ways of penetrating systems and escaping detection, it is critical that risks and controls are evaluated regularly.

3. Protect

Now that the risks are known, this element is about implementing the right controls (policies, procedures, plans, activities) to either prevent or mitigate the impact of a cyber risk.

What are we protecting?  What are we trying to achieve? At this point, lets look at the Cyber Security CIA Triad.

Confidentiality, integrity and availability

The CIA Triad is a security model that aims to help people think about various elements of IT security. It comprises of three elements:

• Confidentiality – the set of rules that restricts access to information to the right people
• Integrity – ensures the information is trustworthy and accurate
• Availability – a guarantee that the information is readily available to authorised people when needed

These elements of the CIA Triad security model are considered the three most important concepts within information security

Types of controls

To protect the organisation, layers, and layers, and layers of rigorous controls are needed. Why? In the event one layer fails, there are other layers that work to reduce the cyber risks. In fact, good cyber security will require a wide range of controls that work in different ways and at different points.  Controls will have different characteristics such as:

• Preventative controls e.g. passwords or passphrases
• Detective controls e.g. intrusion detection systems
• Corrective controls e.g. data back up and recovery
• Hard controls e.g. user access logs
• Soft controls e.g. policies, training

Layers of controls

Now that we know the characteristics of internal controls, here are some examples of controls that help protect from cyber risks:

• Information and security policies covering data, computers and devices, emails and internet sites
• Physical and environmental security
• Network and communications security
• Network segmentation and segregation procedures
• Data encryption at rest and in transmission
• Patch management
• Configuration and change management
• Application controls
• User application hardening
• Enforce strong password policy
• Use passphrases instead of passwords to protect highly sensitive data
• Systems security
• Email and web content filtering
• TLS encryption between email servers
• Asset classification and management
• Endpoint security & intrusion detection
• Identity and user access control
• Email spoofing policies (e.g. DMARC)
• Multi-factor authentication
• Review and secure administrative privileges
• Security team competence and regular training
• Redundancy and backup systems of data and applications
• Decommissioning of systems no longer needed
• Crisis management team exercises
• Cyber security staff awareness training
• Conduct of email phishing simulations
• Vendor risk assessment and formal risk management
• Formal incident response and recovery plans
• Cyber liability insurance

The bottom line is, every layer counts and every layer is important.

Control monitoring

Final warning! Just because you have layers of controls to protect the organisation does not mean you can stop thinking about cyber risks.  Effective cyber resilience requires continuous monitoring, review and investment in upgrading and refining of these protective systems as a normal part of business.  An appropriate budget is therefore critical.

4. Detect & Refine

Having effective controls to protect against cyber risks is only part of the solution.  Ongoing, active and continual monitoring of the wider network and information systems to detect and escalate issues and potential cyber security incidents quickly is a key element of cyber resilience.

Early warning systems

Organisation-wide continuous monitoring and incident detection systems are implemented to monitor incidents on the organisation’s network and systems using Intrusion Detection Systems and Security Information and Event Management (SIEM) technologies. They are designed to detect and alert management to anomalies including user behaviour and abnormal changes in information across the networks, measured against a baseline reference of ‘normal’ activity.

It is good practice to have automated dynamic analysis of email and web content that blocks suspicious behaviour when identified.

Penetration testing

Using information security specialists to attempt to break into an organisation’s networks e.g. penetration testing, engaging ethical ‘white hat’ hackers or ‘red teaming’ also helps to detect weaknesses.

Vendor monitoring

Don’t forget about your vendors!  Vendor monitoring tools are becoming increasingly important to detect breaches as they are reported.

Stay up to date with the latest cyber scams and security risks by subscribing to cyber security newsletters and other news sources.

Audit and assurance

Internal Audit can also add value at a technical and non technical level.  Some audit departments have strong IT audit and Artificial Intelligence capabilities to interrogate data and security logs.  Internal auditors are also excellent at identifying gaps in processes, control design weaknesses and unmanaged risks.

Keep your finger on the pulse

Stay on top of the latest developments in cyber security by joining professional associations, subscribing to newsletters from different sources and following thought leaders on social media.

Exercise your plans

World champion boxer, Mike Tyson once said “everyone has a plan until they get punched in the mouth”. What he was saying is basically – plans are useful until you have to put them into action in the real world.  That is why regular exercising of the various response plans is important.

Refine

Adaptability is important.  Once vulnerabilities have been detected after a penetration test, audit or exercise or after a cyber incident has been resolved, refinements need to be made to better protect the information assets and systems.

5. Respond

If a cyber incident is detected…the time starts ticking instantly.  Depending on the type of cyber attack, the sooner you start the response, the less impact the attack is likely to have and the better the chance of a successful recovery.

A prompt response will help an organisation to continue to operate and get back to business as usual as quickly and efficiently as possible after a cyber attack or major disruption.

Incident response plan

In order to respond quickly, a well documented, rehearsed and tested Incident Response Plan is critical. Remember, the worst time to develop a response plan is during an actual incident, so good planning and preparation is good practice.

Other sub-plans may also assist in the response to a cyber incident e.g. Crisis Management Plan, Communication Plan.

The Incident Response Plan should be executed by a capable Incident Response Team with clearly defined roles and responsibilities.  The Incident Response Plan should:

• Cover a range of cyber incidents
• List specific activities
• Define roles and responsibilities
• Establish invocation and escalation protocols
• List key contacts
• Outline communication protocols
• Be aligned to the organisation Crisis Plan and Business Continuity Plan

As part of the response, organisations should notify their insurer, anti-virus provider, cyber security experts and/or other cyber security service providers as a means of preventing further spread. Timely reporting also assists them to develop and deliver new solutions to manage and neutralise malicious intrusions in the future.

For some organisations, depending on the size, industry and geographic location, it is mandatory to report information security breaches to stakeholders impacted and/or a regulator.

Event log

During the response, it is important to keep an event log, copy of all emails, copy of communications and situation reports in a single folder to help you in the next stage – the lessons learned.

6. Recover

This  final phase aims to restore data and services after a cyber attack or disruption to the pre-incident state.

Ideally, the organisation will have a number of pre-existing and pre-tested recovery sub-plans that are clear and thorough to execute an effective response. These recovery sub-plans typically include:

• IT Disaster Recovery Plan
• Elements of the Business Continuity Plan
• Crisis Management Plan
• Communication Plan

Lessons learned

Once the recovery is complete, a lessons learned debrief should be scheduled to identify what went well and what can be done differently so that elements of the cyber resilience framework are refined and enhanced.

The lessons learned report should document exactly what happened, what impact it had and what actions you took for future reference and potentially claiming on any cyber insurance policy.

The actions from the lessons learned will be used to further refine your cyber security controls.

Antifragile

Our final thought. Author of the popular 2007 book The Black Swan: The Impact of the Highly Improbable Nassim Nicholas Taleb wrote another book in 2012 called Antifragile: Things That Gain from Disorder.  This is a great book about “resilience plus”.  The key theme of this book is that unlike fragile systems, which break when put under stress, antifragile systems actually benefit from volatility and shock. Shocks and stressors strengthen antifragile systems by forcing them to build up extra capacity. Antifragile systems don’t bounce back to normal, but better and stronger.

Cyber security is excellent defence, but cyber resilience is a much broader concept. When you’re developing your cyber resilience framework, ask yourself how can you recover faster, stronger and better as an organisation.

Are you cyber resilient and ready?

Information assets are valuable and information technology is at the heart of all successful organisations. As clients and customers grow more and more accustomed to sharing highly sensitive personal information online, effective systems to govern, manage, detect, respond and recover from cyber risks are more important than ever.

It is now widely accepted that it’s no longer a matter of ‘if’ but ‘when’ an organisation will suffer a cyber attack or major disruption. Cyber resilience provides an organisation with an opportunity to look at and manage cyber risks from the top down and across different elements.

How we can help you achieve cyber resilience

Now is the time to move beyond cyber security to cyber resilience. InConsult is committed to helping organisations manage cyber risks and opportunities.  We have extensive experience in audit and assurance, risk management, cyber risk management, climate risk, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.

If you would like support in becoming a more cyber resilient organisation, contact us to discuss your needs.

Unfortunately, this is not entirely true…

The extensive reliance on information technology to provide services or products is undoubtedly a cause of increased risk. Now take that IT infrastructure and place it in the hands of a third or fourth party and grant them access to an organisation’s private internal network. Without adequate assurance and some quality due diligence, organisations are exposed to a vast number of risks, with the most popular being a significant third party data breach. With over 50% of all data breaches being caused by third party vendor relations, and IT-related costs increasing by as much as $370,000 to remediate a data breach, organisations should be taking greater care to review their third party vendor expectations. (Ponemon Institute study 2019)

Now that we are aware of the potential outcomes of inadequately assessing third party vendor risks, how can they be avoided?

These are the top five areas to focus on to manage third party vendors and mitigate risk:

1. Old fashioned due diligence

Due diligence should be the bare minimum when selecting a vendor. Any third party vendor should align with the expectations of the organisation’s executive leadership team, more so if they will be handling confidential, personal or strategic data. Be cautious of the fact that the conditions of due diligence change over time. What was once considered acceptable compliance then, may be considered a partial compliance now. This highlights the necessity to re-evaluate existing vendors to ensure they still meet the expectations of the organisation. Conduct a formal risk assessment to evaluate delivery risks, financial risks, compliance risks and legal risks. Favour vendors who provide you transparency into their operations and allow you to audit their processes.

2. Communication

Establishing an open communication channel with third party vendors not only helps develop relationships and can result in cost benefits, it can also keep an organisation informed of changes to the vendor’s environment, future plans and even issues they are experiencing. It is worthwhile subscribing to a vendor’s newsletters as they may include a product road map including quarterly milestone projections. This can pave the way for predicting future risk and developing workarounds.

3. Regular review

Re-evaluating existing vendors is not only part of managing changes in vendor compliance, it should be a process performed annually to provide an organisation with the ability to benchmark vendors against each other and to compare a vendor’s performance against their own performance of the past. Through the use of security questionnaires, cyber security ratings (CSR) and acquisition of compliance reports (e.g. SOC1, SOC2, ISO27001), an organisation can leverage sensitive or crucial data to vendors that are the lowest risk. At the absolute worst, vendors can be provided with feedback for improvement. Select vendors who have a continuous improvement program and are responsive to feedback from you.

4. Vendor comparison

While long term vendor relations can have immeasurable benefits, complacency can get the better of us. The market is always ripe with competitors trying to establish their brand, and us such there may well be a vendor that can match pricing while boasting greater risk maturity. Don’t be afraid to let vendors go if the costs associated with a security incident outweigh service or product savings. While the probability is low and an incident may never occur, it only needs to happen once. According to the U.S. National Cyber Security Alliance, 60% of small organisations never recover from a cyber incident alone.

5. Planning for vendor contingencies

Many organisations have a business continuity management (BCM) framework in place that addresses all critical business functions internally. Unfortunately, many BCM frameworks fail to appropriately analyse third party vendor functions and the criticality of their services or products. As such, a lack of workarounds for a variety of third party contingencies puts the organisation at great risk of prolonging a disaster or worse. To simplify the process, third party vendor assessment can be included in the next annual BCM review to ensure a confident recovery strategy when an incident occurs.  Good practice is to have at least one other vendor selected where possible in the event of a failure of the primary vendor.

The future of third party assessment

As Software as a Service (SaaS) systems have engulfed every industry imaginable, one must wonder what SaaS systems offer when organisations attempt to simplify the task of adequately assessing third party vendors and their associated risks. GRC applications have been around for some time allowing comprehensive management of risks, some even including specific third party vendor management modules. In the last couple of years particularly, there has been the introduction of systems that manage online questionnaires, provide Cyber Security Ratings (CSR) and much more. These systems used in conjunction with a well founded BCM framework provide the ability to challenge vendors using multiple vectors and thinking far beyond the continuity of merely internal functions.

How we can help

InConsult is committed to helping organisations become more resilient to third party vendor risks.  We have extensive experience in risk management, cyber security, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.

If you would like to know more about our third party assessment services or would like to see how you or your vendors score on the Cyber Security Rating scale, contact us to discuss your needs.

Often building a BCP can seem like a mammoth and daunting task for organisations with multiple divisions and broad functionality like councils. Breaking the process down into a logical sequence of steps can help. Guidelines and standards e.g. Business Continuity Institute Good Practice Guidelines  – a global guide to good practice in business continuity is a good introduction to business continuity and will help with the details, but here is a six step process to building an effective BCP.

1. Obtain Commitment and Identify Risk Appetite

Most plans fail to take hold within an organisation due to a lack of senior management buy-in. It is crucial to get the strategic decision makers on board for a business continuity plan as these are the key players who will ultimately provide leadership in a time of crisis. Start the BCP preparation process with a workshop of the organisation’s leadership team. Prepare yourself for the meeting with senior management by conducting research on existing plans, their effectiveness, cost and resources required. This should outline any gaps which can then be presented to senior management. Utilise the session with senior management to understand and formulate risk appetite. How quickly does management believe that the organisation’s stakeholders will want key services to resume following a disruption?

A risk appetite statement provides a directive to management and staff about organisational tolerance during an outage. Quicker response times generally come at a cost so the organisation needs to understand the costs and benefits of its desired tolerance to an outage.

2. Conduct a Risk Assessment

A detailed risk assessment across the organisation and its functions will highlight existing areas of weakness and identify plausible disruption scenarios. Most disruptions can be categorised into the following 4 scenarios;

• Loss of Data and IT/Resources
• Loss of Building
• Loss of Personnel
• Loss of Equipment or Resources

A disruption can consist of any one or multiple of the above scenarios. The AS/NZS ISO 31000:2009 principles of effective risk management can be applied to disruption related risk planning. The Standard makes it clear that ‘risk management enhances an organisations’ resilience and creates strategic and tactical advantages.

3. Conduct a Business Impact Analysis (BIA)

The BIA is possibly the most important step in the overall BCP process. The BIA should be designed to capture operational impacts, financial exposure, technological reliance and resource requirements across key business areas during a disruption. This step should identify any operations which are time-sensitive, for example, waste collection services, and the time-frames by which these operations need to be fully serviceable. Also in this step identify any contingency resources and plans. Business units often have manual contingencies built into their day-to-day operations to handle minor service outages, in some cases these manual contingencies can be stretched to form an alternative business process should the need arise.

Know your critical assets.  Critical assets are important to maintain business continuity.  Your BCP should list details of the critical assets.  They include:

• People – contact information for key staff
• Suppliers – contact information for key suppliers and third parties
• Buildings – addresses of physical locations, copies of lease agreements and access keys
• Equipment – list of major equipment including computers, printers, scanners, vehicles
• Inventory – list of supplies, materials and stock
• Data – important electronic documents, payroll, accounting, records, back-ups

4. Develop the Plan

The BIA forms the basis of the overall organisational BCP. A robust BCP should include the organisational plan and response to the following four stages;

Emergency Response procedures:

The main focus at this stage is to ensure the safety of all personnel and the security of the organisation’s assets.   This step is usually a “first-five-minutes approach” and no business directive is required. Most organisations will already have emergency response procedures and these need to be referenced or incorporated in this section of the Plan.

Crisis Management Response:

This stage involves the first critical decisions about what the crisis is and what the organisation’s response should be. The BCP should identify a crisis management team, the responsibilities of team members and the process and criteria for conducting an impact analysis.

This team generally comprises of management in key decision making roles and who can provide the organisation with leadership and direction during business disruption.

Business Recovery:

The business recovery stage outlines the procedures and activities necessary to restore critical functionality and services. These may not be restored to pre-crisis levels and may involve skeletal or contingency resources and procedures. For example, resumption of Waste Collection Services utilising contingency resources from a neighbouring council.

This section of the Plan must identify alternate operational sites and key business resources required. We strongly recommend a checklist type approach rather than a detailed analysis of everything from how many pens are going to be needed to where emergency coffee supplies will be purchased from!

Business Resumption:

This stage involves returning the business to a pre-crisis operational level. This stage of the Plan should not be too prescriptive as the road to resumption will be dependent on the nature of the crisis and a whole range of other variables. Rather this section should contain a broad outline of responsibilities and key processes to move towards full business resumption.

The following diagram shows the four stages of that should be covered in a BCP.

Once the plan has been signed off it needs to be distributed to staff in a controlled manner with backup copies being stored in an accessible location in the event of a disaster. The BCP should be viewed as a live document which is reviewed, updated and improved upon over time.

5. Implementation & Training

Staff need to be trained so that they are aware of the BCP plan, what their roles and responsibilities are and who to contact should the need arise. Training will help to build staff capability and confidence to enable a smooth transition from crisis mode to business recovery and ultimately to the business resumption phase.

6. Testing and Exercising

Just as we practice fire evacuation drills to ensure staff are trained and processes are working in the time of a crisis, the same applies for the rest of a BCP. Regular testing and exercising of a BCP is critical to success. People are more likely to respond well to a crisis if they have practised what to do in advance. We strongly recommend at least annual testing/ exercising of a BCP. This can also assist in identifying gaps and weakness in processes, steps and resources.

Business continuity planning does not have to be a daunting task if it is conducted in a logical and systematic way.  A robust and tested BCP with trained resources will go a long way in making sure that the organisation is better prepared and more resilient in the time of a crisis.

Can We Help?

The InConsult team has a deep understanding of business continuity management. Now is the time to move to resilience. InConsult has extensive experience in audit and assurance, risk management, cyber risk management, climate risk, crisis management, business continuity, third party risk assessment, emergency management, disaster management, climate change risk, ESG and pandemic planning.

Be more resilient and contact us to discuss your risk and resilience needs.