Cybersecurity in Finance and Insurance


Report and Improve Compliance

Powered by SAM for Compliance

Finance and Insurance - APRA Obligations

From July 1, 2019, the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 Information Security comes in to effect. This standard applies to all APRA regulated entities and includes general insurers, life insurers, private health insurers, authorised deposit-taking institutions (ADI), superannuation entities (registrable licensees), and authorised non-operating holding companies.

How will your organisation track your security posture and assess and demonstrate compliance? APRA has said that there is no “grace period” for organisations. The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security, how will your Board report compliance to APRA? SAM makes it straightforward to report and straightforward to maintain accurate and updated assessments of compliance.

You can have SAM up and running in a matter of days and present your Board with a deliberate and prioritised plan of compliance. Imaging being able to stand in front of your Board and clearly address every question and concern they have because you have the data to show where you comply and where you have gaps and need funding and/or support to fill those gaps.

Click on the button below to book a demonstration.

Book A Demo

MANAGE, TRACK AND REPORT IN REAL TIME, INFORMATION ASSET RISK AND DEMONSTRATE COMPLIANCE WITH CPS 234 USING SAM for COMPLIANCE

This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats and considered against your information assets.

A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.

The key requirements of this Prudential Standard are that an APRA-regulated entity must:

  • clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
  • maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
  • implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
  • notify APRA of material information security incidents.

The SAM CPS-234 Framework has been designed specifically for the Australian Financial and Insurance industry to enable organisations to demonstrate compliance to the Standard as required by APRA. With approximately 950 controls this is a substantial framework that utilises both the Standard and the Guide to create the structure. The controls have been derived from a variety of sources including NIST SP 800-53, CIS Controls and ISO 27002 with a foundation in APRA’s CPG 234 – Management of security risk in information and information technology (both 2010 and 2019).

Click on the button below to book a demonstration.

Book A Demo

CPS 234 - THIRD PARTY AND RELATED PARTY CYBERSECURITY COMPLIANCE

Imagine being able to obtain a real time report of how your third party complies with the CPS 234 Standard. For as little as the price of lunch each day, you can deploy SAM to your most important Third Party information holders and processers and they can fill out the assessment that you track to report on their compliance. You can use our CPS 234 mapping to measure and report on your vendor risk.

Click on the button below if you wish to talk to one of our Representatives.

Request Further Information

 

NIST CSF (Cybersecurity Framework) for Corporate Cybersecurity Compliance

The NIST CSF is a risk-based approach to managing cybersecurity risk and is composed of three parts: The Framework Core, the Framework Implementation Tiers and the Framework Profiles. Each Framework component reinforces the connection between business drivers and cybersecurity activities.

The SAM-NIST CSF Framework focuses on the Framework Core which is a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors. The core presents industry standards, guidelines and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organisation from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions - Identify, Protect, Detect, Respond and Recover. When considered together these Functions provide a high-level, strategic view of the lifecycle of an organisation's management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each function. The controls specified within the SAM-NIST CSF Framework have been derived from NIST SP 800-53v5.

While the NIST CSF Framework is not exhaustive, it is extensible, allowing organisations, sectors and other entities to use sub-categories and controls that are cost-effective and efficient, and that enable them to manage their cybersecurity risk.

Using the SAM-NIST CSF Framework, organisations have the ability to demonstrate compliance to this standard and identify areas where remediation is required to improve the overall cybersecurity posture.

CYBERSECURITY INSURERS AND UNDERWRITERS

How do you measure and assess the cybersecurity fitness of your potential and current customers? Is this customer a risk worth insuring? You can use SAM to assess and measure how well a customer organisation manages cybersecurity.

Click on the button below if you wish to talk to one of our Representatives.

Request Further Information

 

CYBERSECURITY CONSULTING IN FINANCE AND INSURANCE INDUSTRY SECTORS

Our Consultants can provide a variety of cybersecurity related consulting and audit services to this sector. Click on the buttons below find out more.

Consulting Services        Request Further Information