CFOtech Australia - Technology news for CFOs & financial decision-makers
Story image

Don't let your company make headlines for all the wrong reasons

Yesterday

Australian banks, superannuation funds, and insurance companies take note: the new Australian Prudential Regulation Authority (APRA) rules - stricter cyber security risk management - mean you, your team, and your company will be under serious scrutiny. Failure to comply could lead to big penalties, including jail time.

Over the last year alone, cyber-attacks on high-profile institutions have affected millions of Australians and driven strong businesses to fold or file for bankruptcy. Look no further than MediSecure for a potent example – it suffered a serious data breach that compromised the personal details of nearly half of all Australians (12.9 million)*. The ensuing mess led the company into voluntary administration a few months later.

Unfortunately, MediSecure is just one example. According to the Office of the Australian Information Commissioner (OAIC), there were 527 data breaches from January to June 2024, with cybersecurity incidents representing 38% of that number. With that in mind, APRA has set out new and updated rules to protect customers, meaning serious fines, penalties, and even jail time for individuals at financial organisations who don't have control of their users' data.

The challenge is that about 90% of a company's data is unstructured—emails, documents, social media posts, videos, images, audio files, and chat messages—in short, data that is used many times a day in the modern business environment. However, unstructured data is not always organised or managed, making it an easy target for a cyber-attack.

Current APRA rules around operational risk management require companies to identify and protect their most critical and sensitive data and notify APRA within 72 hours of any breaches. Breaches are reported on a public register held by APRA, creating the possibility for public backlash and reputational damage.

To safeguard their security, companies must gain a greater understanding of the billions of unstructured data files they accumulate each year as part of normal business operations.

Companies will need a strong understanding of their unstructured data to find the critical data required for day-to-day operations. This will also leave them fumbling in the dark in the event of a cyber-attack. Unless an organisation can recover critical data in a short space of time, backups are next to useless. 

Incoming new APRA regulations mean companies must notify APRA within 24 hours if they have suffered a disruption to a critical operation. Once these regulations go live, visibility into their data estate will be vital, as it will help with the organisation of structured and unstructured data, give the company greater ability to reduce 'unnecessary' and duplicate files and help provide business-critical systems with their most important data rather than wading through an expanse of low-value data to find the information they need.

The new standard, CPS230, will take effect from 1 July 2025. It sets out minimum requirements for managing operational risk across APRA-regulated entities, including being able to quickly recover with the ability to operate on a separate clean system in the aftermath of a cyber-attack. Again, lacking a proper understanding of unstructured data is akin to searching a public library for a particular book without an indexing system. It is impossible to find and use critical data unless you do some serious triage work first. These new regulations will make life extremely difficult for an organisation unless they gain better insights into the unstructured data they hold.

Further to this, CPS230 dovetails with another regulation, CPS234, which mandates that organisations in financial industries bolster their information security framework to safeguard themselves and their customers from the growing threat of cyber-attacks.

CPS234 requires responsibilities to be clearly defined across organisations, from the board of directors to senior management, governing bodies, and other employees. Directors will ultimately be held responsible for this governance. It will also require Information security regimes to secure the organisation from emerging and existing threats and detect vulnerabilities to maintain efficient and effective operations.

Now is the time to gain control over unstructured data and bring order to all of your unstructured storage. An advanced data management platform can enable organisations to assess, organise, and protect their unstructured data, removing many of the roadblocks between them and strong governance—which will have a major impact on compliance with regulations such as CPS230 and CPS234. Better data control requires better visibility and understanding of what the organisation holds. After all, you can't defend and protect what you can't see.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X