The Council of Financial Regulators (CFR) has released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry.
The CFR – which includes the Reserve Bank of Australia (RBA), the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority, and the Treasury – has developed the framework to assist the financial institutions with the preparation and execution of industry-wide cyber resilience exercises.
CORIE is a pilot program of exercises that will use intelligence gathered on adversaries to mimic the way they operate.
The exercises will mimic the tactics, techniques and procedures (TTP) of real-life adversaries through the creation and utilisation of tools, and using techniques that may not have been anticipated and planned for.
According to the CFR, these exercises aim to measure an organisation’s ability to identify, respond and recover from the operations of a real-life adversary based on such TTPs.
The program will include threat intelligence-led exercises to assess the overall maturity of a financial institution’s cyber defence and response capability.
Threat intelligence is evidence-based knowledge including actionable advice about an existing or emerging threat to assets. This can be used to inform decisions around the organisation’s response to that threat.
The CFR has released a CORIE pilot program guideline, which said: “Real-life adversaries such as state-sponsored attackers are neither constrained by scope nor time.
“CORIE exercises mimic adversaries through fewer traditional testing restrictions and longer time duration to fully exploit opportunities. As a result, CORIE complements traditional security testing programs, such as vulnerability assessments, penetration testing and continuous red teaming – financial institutions should continue to maintain their existing security testing regimes.”
The objectives of the pilot program include:
- Provide data and information to inform relevant regulators of systemic weaknesses that may pose a risk to the integrity of the Australian financial markets and financial system;
- Assess financial institutions’ resilience to known adversaries targeting them; and
- Provide the relevant regulator and financial institutions with a plan of remediation to address any weaknesses.
Independent providers will conduct the exercises in a bid to remain as unbiased as possible and bring a “fresh perspective”, while the day-to-day management of the pilot program will be carried out by the CORIE team coordinators on behalf of the CFR. The team will consist of a small number of members within the cyber security teams of the CFR members.
Upon completion of the exercises, a report detailing industry-wide trends around cyber resilience will be presented to the CFR, highlight any systemic weaknesses that may pose a risk to the integrity of financial markets and system.
“Sophisticated adversaries are continuously attacking Australian financial institutions in illegal operations that can result in substantial financial loss, reputational damage and, in a worst-case scenario, impact the stability of the Australian financial markets and financial system,” the guideline said.
“Cyber operational resilience requires that people, processes and information systems adapt to the ever-evolving threat landscape. To maintain the ability of financial institutions to avoid significant financial loss and worst-case scenarios, cyber operational resilience must be proactive and not reactive.”
The launch of the framework has come amid the launch of its cyber security strategy for 2020-24, with APRA executive board member Geoff Summerhayes warning that while no APRA-regulated bank, insurer or superannuation fund has suffered a substantial cyber attack, it would only be a matter of time before it happened due to a lack of awareness among the higher ranks of companies.
A Bankwest analysis of scams and fraud trends recently found that cyber criminals are actively targeting the elderly and most vulnerable members at double the rate of any other age groups.