Brought to you by:

Go above and beyond APRA’s cyber rules, Aon says

Facebook Twitter LinkedIn Google

Companies must go further than the prudential regulator’s new cyber-security standard if they are to protect their assets, Aon warns.

The standard provides no guidance that is not already covered by the better international practice standards, the head of Aon’s Cyber Solutions Group Chris McLaughlin says.

A key element of the standard involves assessing the information security capabilities of all third parties that manage information.

Organisations must ensure any third party’s cyber security can protect against attacks on related companies engaged by that third party, through the use of interviews, control testing and independent assessments.

But Mr McLaughlin told companies should follow their data through the supply chain to the end user.

“The extension of the supply chain and the lack of understanding of its complexity and reach can lead to gaps in how controls are designed and implemented to protect the organisation’s information processing and assets, which is contrary to what the new guidance is trying to achieve.”

He says organisations should move towards quantitative risk assessments and understand what causal chains of risk affect their assets, and obtain as much visibility over their environment as possible so they understand the source of cyber threats to those assets.

“If you look at…the digital landscape and the number of suppliers that organisations are using… people can open up cloud services that aren’t sanctioned within an organisation.

“The organisation…will have no way of knowing how well the controls are designed or operate.”

He says the new standards could strain internal audit functions and prove expensive if companies use external auditors or consultants.