Complying with the prudential regulator's new cybersecurity standard presents a huge challenge for asset owners but the cost of not complying could be far higher, according to Duncan Green, Executive Director, Information Security Management, Australia and New Zealand, J.P. Morgan, and Sai Ravi, Head of Regulatory Practice, Securities Services, APAC, J.P. Morgan.  

The famous 1970’s criminal Willie Sutton was once asked why he robbed banks. His succinct reply – ‘because that’s where the money is’ – is still relevant today1.

While old-fashioned heists may have been replaced by cyber-attacks, banks have had decades of experience building their defences, and an industry that has quietly amassed more than $US44 trillion in global assets2, is still playing catch-up.

That’s why APRA’s new Prudential Standard CPS 234 is forcing asset owners, such as pension and superannuation funds, to prepare for information security incidents, which will assist in a swift response in the event of a breach.

CPS 234 took effect from July 1, 2019, with many local superannuation funds and other asset owners still working to understand and meet the new requirements.

Cybersecurity breaches increasing and drawing public attention

While the relatively quick introduction of CPS 234 has been challenging, the need for the new prudential standard is clear. Cybersecurity attacks on trillions of assets in pension funds around the world are increasing.

Earlier this year, a Massachusetts woman discovered that her 401(k) retirement account, worth almost $US200,000, had been drained3. Criminals were able to hack her email, impersonate her, and add a bank account to her retirement fund, a local court heard.

More recently, the Oklahoma Law Enforcement Retirement System lost $US4.2 million after hackers infiltrated an employee’s email account, the fund’s executive director Duane Michael told The Oklahoman newspaper4.

Such business email compromise (BEC) attacks may not be sophisticated, but they are common and effective. Malware, such as ransomware installed by clicking on a disguised link or attachment, is another common risk.

APRA has spent years warning the financial services industry that it’s only a matter of time before a bank, insurer or super fund falls victim to a cyber attack5.

Similar cyberattacks are also being used against Australian super funds, which collectively hold more than $2.9 trillion and rank as the fourth largest asset pool in the world6. At least one local fund has lost a six-figure sum to fraud in recent times.

The incidents so far make it clear that, while complying with CPS 234 takes time and investment, it is crucial for the safety of Australia's retirement system. The standard's requirements are principles-based and compare well to other cybersecurity regimes around the world.

Financial services firms should also consider applying the Financial Services Sector Cybersecurity Profile (FSP) as a means to shore up cybersecurity. Globally, the financial sector has led the development of the FSP, a risk-based common supervisory framework that incorporates pre-existing cybersecurity standards and best practices. Industry adoption of FSP would enable financial market participants and regulators to uplift cybersecurity while increasing regulatory harmonisation across the sector and globe.

What asset owners can do

CPS 234 provides a roadmap for asset owners to ensure they build a sound cybersecurity framework by asking the right questions. Those questions start at the top: who is responsible for cybersecurity? How does the fund demonstrate to its board that it has sufficient control over cyberrisks? What are the fund's cybersecurity capabilities and controls?

Building this framework can help control and minimise the fallout from ongoing cyber incidents and plan for worst case scenarios. Asset owners should know how money leaves their organisation, the controls they have in place to protect those movements and to regularly test and exercise them to make sure they are effective.

Other worst case scenarios to plan for include losing the majority of a customer database and their confidential information, as well as a cyber-attack that cripples the organisation's infrastructure, leaving just backups to restore functionality.

But it is not just internal cybersecurity that asset owners need to assess. The cybersecurity capabilities of third-party vendors and suppliers should also be a key focus given many asset owners depend heavily on external administrators, custodians, fund managers, multiple IT suppliers, and even creative agencies. Many of these organisations (few of which are APRA-regulated), in turn use their own external vendors creating a chain of potential weaknesses.

It takes skill and experience to know the right questions to uncover a vendors' real approach to cybersecurity. However, cybersecurity risk assessments have traditionally been performed on an ad-hoc basis within businesses, and by people who often don't have that specialist knowledge.

This is one area where J.P. Morgan can seek to help clients as they pursue their supervisory obligations, such as CPS 234, by sharing what we have learned. We have leveraged our global resources, including knowledge of new cybersecurity regulations in other jurisdictions, on our own journey to comply with CPS 234.

Digital disruption is ushering in a new level of competition across the financial services industry. But when it comes to protecting ourselves, and most importantly our customers, from cybersecurity risk, collaboration is the best strategy. 



1Quote Investigator, I Rob Banks Because That’s Where the Money Is

2OECD, Global pension statistics

3Manganis, Julie, Gloucester Daily Times, Woman’s $200K retirement account drained after hack