Tech chiefs working in financial services must immediately assess their current security controls to ensure they comply with cybersecurity requirements set out by the Australian Prudential Regulation Authority (APRA), says NCC Group's Joss Howard.\nAll APRA-regulated entities are expected to meet the new requirements for Prudential Standard CPS 234 (CPS 234) Information Security by July this year. CPS 234 requires APRA-regulated entities to clearly define information-security roles and responsibilities; maintainan information security capability commensurate with the size and extent of threats; implement controls to protect information and undertake regular testing to ensure they are effective; and promptly notify APRA of security incidents.\nThese requirements will increase pressure on financial services organisations in the midst of moving away from their traditional ways of doing business to new models that rely heavily on data and the creation of new digital services for customers. This will be compounded by the incoming the government\u2019s incoming open banking regulations \u2013 which will require increased security of data, Howard, who is head of risk management and governance consulting, APAC at the information consulting firm told CIO Australia.\nIf CIOs see gaps, they must remediate them as soon as they can or risk being fined heavily by APRA for any security breaches, saidHoward.\nShe said that depending on the size of the financial organisation they work for, CIOs will have different risk appetites.\n\u201cThere may be one or two team member companies that have developed a product or service and their appetite is totally different to the larger big four banks,\u201d she said.\n\u201cA two-person team would probably take a far greater risk of doing something non-regulatory than the big four [banks] because the consequences are far greater at the big end of town.\u201d\nThese smaller organisations will take the risk because they don\u2019t understand the consequences if they\u2019ve never been impacted by a regulatory commission or investigation, said Howard.\n\u201cOn the other side you have the 'big four' CIOs, who have probably been highly audited, highly regulated over the years, so they know the consequences. Whenever [NCC] did this kind of regulatory assessment of a smaller organisation, they usually have some governance in place, but it\u2019s often basic and barely in operation across the organisation,\u201d she said.\nFrom Howard\u2019s experience, the importance of appropriate governance will increase for CIOs depending on the dollar sign at the end of the day.\n\u201cFor the larger, more established financial institutions like the big four, they\u2019re going to have all the systems and processes in place that they need to comply, and this extends to their suppliers too,\u201d she said.\nHoward recommends these six steps to begin appropriate governance:\nSet the information security policy. Implement an information security policy sets the standard of information security governance within the business, an important first step.\n Examine the assets. Determine what information assets are in use, their purpose, who consumes that information, data flows and storage areas helps to identify the organisation\u2019s information risk exposure.\n Classify the assets. After identifying the information assets and their location, classify the organisation\u2019s assets (including those managed by third parties) based on criticality, sensitivity and impact to the business if compromised.\n Know the threats and understand the risks. Assess what threats could initiate a threat event and exploit a vulnerability, causing a business impact. By determining how these factors interrelate and their impact, they can be reduced by sound security controls.\n Plan what to do in the event on an information security incident. It is important that all APRA-regulated entities test their incident plans regularly and effectively, especially where the incident has identified an information breach.\n Assess and re-assess. This ensures that the organisation complies with the prudential standard, and not fall afoul of APRA\u2019s enforcement approach, APRA-regulated businesses should include the requirements of the CPS 234 standard in their internal audit program.