Cyber Risk: New Regulations Prompt Scramble Among Companies to Comply

A growing number of Australian companies are looking for better ways to mitigate their risks in the face of increasing regulations.

By Nina Hendy.

There’s nothing quite like new regulations coming into force to prompt Australian companies to clean up their house.

Marcus Bartram,
Founder & General Partner,
Telstra Ventures

Right now, this is playing out across the corporate landscape dominated by a growing number of cyber hacks as the global economy stalls.

The news comes after a protracted period of increasingly malicious cyber-attacks on Australia, prompting authorities to step up protections of critical infrastructure facilities.

Authorities recently revealed they are stepping up protections across power and water distribution networks, transport and communications grids.

Australian Cyber Security Centre head Abigail Bradshaw says a cyber incident involving critical infrastructure can have serious impacts.

“We are continuing to see attempts to compromise Australia’s critical infrastructure. It is reprehensible that cyber criminals would seek to disrupt or conduct ransomware attacks on our essential services during a major health crisis,”

Ms Bradshaw says.

Mad scramble

But regulators are squarely placing the responsibility for any breaches on the shoulders of companies, prompting furious action by many corporate leaders.

On July 1, the Australian Prudential Regulation Authority (APRA) rolled out the CPS234 regulation, which shores up entities’ resilience against information security incidents, including cyber-attacks. It is designed to ensure APRA can respond swiftly and effectively in the event of a breach.

This has prompted a scramble among corporate players to outsource the problem to third parties. More often than not, the assessment and implementation of a reliable provider most often falls to the finance and procurement team within a business.

In a sign of the times, the world’s largest global risk exchange Cyber Global Risk Exchange (CyberGRX) has been establishing an Australian presence, giving companies greater muscle where it’s needed.

CyberGRX is the market’s first fully operational two-sided marketplace for enterprises’ third-party cyber risk management. This exchange provides partners with immediate access to cyber risk data on their third parties.

The company reveals it has experienced rapid growth in Australia, bolstering its customer base by 175% in the past year, representing 15% of the company’s global revenue.

Who is CyberGRX?

CyberGRX is a third-party risk management solution used by companies to confidently act on cybersecurity risks. Based in Denver, the platform was designed with partners including Aetna, Blackstone and MassMutual.

Most recently, a report published by Gartner showed that the CyberGRX assessment scored highest out of 16 vendor risk management providers in the market.

The company’s director of client services Anthony Panuccio says APRA’s prudential standard CPS234 was imposed on financial institutions with a clear focus of extending cyber security controls to third parties.

“Traditionally, enterprises would create their own assessments and were only able to conduct 15-20 assessments in a year. These were largely focused on chasing third parties, rather than taking risk decisions,” Panuccio says.

CyberGRX addresses this issue by providing access to completed risk assessments that dynamically change based on the enterprise’s services relationships with the third party,” he says.

“Major companies are coming to the realisation that to augment their current third party capability with CyberGRX allows scale, pace, visibility and ultimately moves them to perform true risk mitigation, rather than data chasing for compliance purposes,” he says.

Corporate backing

Telstra Ventures invested in CyberGRX in mid-2019 and has been helping the company establish a presence in Australia.

Marcus Bartram says CyberGRX has grown despite the tougher economic climate, signing on major enterprises across banking, telecommunications and the utility sectors.

Key drivers of this growth has been the new APRA regulations, a continued push for digital transformation and the fact that 60% of data breaches can be attributed to a third party, he says.

The team’s deep understanding of the customer problem in the cyber risk space attracted Telstra Ventures to CyberGRX, Batram says.

Deloitte is sharing CyberGRX with its clients. Partner, Cyber Risk Services Tommy Viljoen saying traditional ways of managing vendor risks are cumbersome and inefficient for all concerned.

“This party cyber risk management is now essential for all businesses. The CyberGRX platform model solves this with a unique set of tools, visualisation and analytics that provides ongoing cyber risk insight,” he says.

Mitigating risks

“Businesses pondering the best way to mitigate cyber risk need to act fast, particularly in the current climate”

Bartram says.

Businesses need to figure out how to wrap itself around its whole supplier base and have a view on the risk this presents, he says.

“The traditional way of doing this with small teams, manual processes and assumptions a small number of suppliers as being representative of the risk you face is just foolhardy at best, but until options like CyberGRX came along it was the best that companies could do.

Bartram continues: “Now, a business has options available to them to help automate and scale how they mitigate third party supplier risk, so in the face of increasing regulation, it’s a very concrete step you can take to help mitigate cyber risk.”