The Council of Financial Regulators (CFR) has released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework for a series of simulated cyber attacks designed to test the resilience of the Australian financial services industry in the face of growing information security threats.
The release of the new CORIE framework follows the Australian Prudential Regulation Authority (APRA) recently signaling it will step up its review of cyber compliance by regulated financial services institutions as part of its new Cyber Security Strategy.
CORIE's exercises will mimic, and measure an institution's ability to detect, respond to and recover from, the operations of real-life adversaries such as state-sponsored cyber-attackers. On completion of exercises, a report detailing cyber resilience trends among financial institutions will be presented to the CFR to inform Australian regulators (such as APRA) of systemic weaknesses that may present a risk to the integrity and stability of Australian financial markets.
CORIE is designed to complement, rather than replace, traditional security testing programs such as vulnerability assessments and penetration testing. Financial institutions are encouraged to continue to maintain their existing security testing regimes and take proactive measures to adapt to the ever-evolving threat landscape.
"Cyber operational resilience requires that people, processes and information systems adapt to the ever-evolving threat landscape. To maintain the ability of financial institutions to avoid significant financial loss and worst-case scenarios, cyber operational resilience must be proactive and not reactive." - CFR, CORIE Pilot Program Guideline, page 2.