CFR releases ‘resilience framework’ to test FI industry’s cyber readiness

CORIE Council of Financial Regulators Cyber

Australian financial institutions and regulators will be able to test their cybersecurity maturity, resilience and response through a new industry initiative, with The Council of Financial Regulators (CFR) unveiling its Cyber Operational Resilience Intelligence-led Exercises, or CORIE, framework.

The framework provides guidance on the CFR’s upcoming CORIE pilot program, which will measure financial services providers detection, response, and recovery capabilities against a simulated cyber-attack.

The program’s exercises “mimic the tactics, techniques and procedures of real-life adversaries”, the CFR said, “creating and utilising tools, and using techniques that may not have been anticipated and planned for”.

Exercises make use of intelligence gathered from threat actors, based on real and anticipated behaviours, to simulate their modes of operation.

A small group of “systemically important” financial institutions will be invited to take part in a CORIE pilot program, providing feedback to the Council, whereupon a decision will be made to either expand the program or implement learnings to inform regulatory guidance.

A core objective of the CORIE program is to “provide data and reporting that informs Australian regulators of systemic weaknesses that could risk the integrity and stability of Australian financial markets”, the framework states.

Participating FSIs – including banks, insurers, and superannuation providers – will be asked to hire independent teams of “red hat” hackers to expose weaknesses in their cyber defences, alongside internal “white teams” who will test defences against this simulated, “real-life adversary in a production environment”.

Last month, in a speech to the Financial Services Assurance Forum, APRA executive board member Geoff Summerhayes noted “significant weaknesses”, and even creeping complacency, in the industry’s security provisions, urging financial entities to do more to bolster cyber defences and resilience.

“To date, no APRA-regulated bank, insurer or superannuation fund has suffered a material cyber breach, but our view that it’s only a matter of time until a major incident occurs hasn’t changed,” Summerhayes said.

While about 100 financial services entities requested more time to comply with CPS234 – APRA’s mandated information security standard – the remainder, he said, were generally positive about their compliance.

However, he hastened to add, APRA’s IT risk team “discovered significant weaknesses in every instance in areas such as testing programs, control environments and incident response capabilities”.

While the CRA said it would not define the exercise types in its CORIE pilot, they are expected to be completed by all participating financial institutions in order to measure the effectiveness of the pilot program.

Exercises will be conducted by independent ‘providers’ bringing, the CRA said, “as close to an unbiased view as possible coupled with advanced adversary simulation capabilities”.

On completion of exercises, a report detailing industry-wide cyber resilience trends amongst financial institutions will be presented to the CFR highlighting any systemic weaknesses that may present a risk to the integrity of the Australian financial markets and financial system.

Feedback from the pilot will then guide the next steps, such as a further pilot with a broader group of financial institutions or implementation into industry.

Day-to-day management of the pilot program is performed on behalf of the CFR by the CORIE Team Coordinators, consisting of a small number of trusted personnel within the cybersecurity teams of the CFR members.

Exercises will be overseen by the Council, which comprises the Reserve Bank, APRA, ASIC and the Treasury.