The ‘CORIE’ framework will initially run as an industry pilot programme, consisting of a small number of systemically important FIs.
Australia’s CFR (Council of Financial Regulators) has released a framework to test and demonstrate the cyber maturity and resilience of the country’s financial institutions.
Cyber risk is repeatedly classified amongst the top risks to the Australian financial system, and considered a key risk to the CFR, which comprises APRA (Australian Prudential Regulation Authority), ASIC (Australian Securities and Investments Commission), the RBA (Reserve Bank of Australia), and the Department of Treasury.
> ALSO READ: APRA Unveils Details of New Cyber Security Strategy (27 Nov 2020)
In March 2019, the CFR Cyber Security Working Group proposed the establishment of a framework for improving cyber resilience within the Australian financial services industry, whereby targeted threat intelligence would be used to build goal-focused ‘red team’ scenarios to test and demonstrate an institution’s cyber resilience level.
The CFR has developed the Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to aid preparation and execution of industry-wide cyber resilience exercises.
A key objective of the framework is to provide data and reporting to inform regulators of systemic weaknesses that may present a risk to the integrity and stability of Australian financial markets, as well as to identify actions to uplift the cyber resilience of FIs.
CORIE’s exercises will mimic the tactics, techniques and procedures (TTPs) of real-life adversaries, creating and utilising tools, and using techniques that may not have been anticipated and planned for.
These exercises measure the ability of an organisation to detect, respond and recover from the operations of a real adversary based on such TTPs, so as to maintain critical business processes and protect sensitive data, the CFR says.
The CORIE framework is available here.
CORIE will initially run as an industry pilot programme consisting of a small number of systemically important FIs invited by the CFR to participate and provide feedback.
FIs that participate will first be required to conduct a Cyber Risk Assessment (CRA) to evaluate and categorise them according to the level of risk they pose to financial markets and the financial system, which will dictate the exercise types and frequency they will have to undergo under CORIE.
Each FI will also receive a CRA questionnaire to complete and return prior to the commencement of the pilot programme.
After the initial pilot has completed, workshops will be conducted to gather feedback, which will guide the next steps, such as a further pilot with a broader group of FIs or full implementation into industry.