#NSBCS.117 - From Compliance to Consequence: Why Cyber Resilience Starts with Governance

Cyber Resilience
Written By Shane Bell
 

Information security is often framed as a stack of technical controls, whether it be patching, monitoring, access management, backups or incident response. Each matters, but none operate effectively in isolation. Controls become resilient only when a governance framework gives them direction and ownership that embeds resilience into an organisation’s long-term information security strategy. Cyber resilience should not be seen as a separate discipline sitting beside more technical aspects of information security. Rather, it is the foundation from which other protective methods must be built on.

That position is becoming clearer in Australia’s regulatory environment. APRA’s CPS 230 commenced on 1 July 2025, lifting expectations for how regulated entities manage operational risk, maintain critical operations through disruption, and oversee service providers. This is topical now more than ever, as for pre-existing service provider arrangements, the relevant requirements apply as of 1 July 2026. The message from regulators is straightforward: resilience is no longer about having a plan on paper. It is about being able to show, in practice, that critical operations can continue and recover within defined tolerances.

What makes CPS 230 significant is that it elevates resilience into a governance obligation. It requires boards and executives to understand critical operations, define tolerances for disruption, test business continuity arrangements, and manage dependencies. In other words, it recognises that operational resilience depends less on whether an organisation owns the right technologies, and more on whether leadership has ensured those technologies are embedded within a disciplined operating model. Without that governance layer, even mature-looking controls can become fragmented and inconsistent.

The recent FIIG outcome serves as evidence for where that gap can lead. On 9 February 2026, ASIC announced that FIIG Securities had been ordered to pay a $2.5 million penalty, contribute $500,000 towards ASIC’s costs, and undertake a compliance program involving an independent expert. ASIC notes this was the first time the Court had imposed civil penalties for cyber security failures under the general Australian financial services license obligations.

This case is significant, signalling a shift in accountability for organisations and enforceability from regulatory authorities for implementing effective and comprehensive governance. The issue is not simply whether a firewall rule, patching cycle or monitoring process failed. It is whether a governance process was in place to ensure that these controls were prioritised, resourced and maintained to the required standard.

This in essence is the broader lesson for Australian organisations. Governance is the overarching element that connects cyber security to business continuity, operational resilience and regulatory defensibility. It is what turns patching into risk reduction, monitoring into timely response, and recovery planning into real recovery capability. ASIC’s Key Issues Outlook 2026 makes that clear in plain terms: cyber-attacks, data breaches and inadequate operational resilience and crisis management undermine market confidence and harm consumers. In this environment, the key question for boards is no longer whether controls exist, but whether they will effectively protect business when disruptions occur.

Looking to strengthen your Cyber Resilience? Book a meeting with our team today.

What we read this week

  • CISA Orders Federal Agencies to Patch Maximum - Severity Cisco FMC Vulnerability Under Active Exploitation - CISA has added CVE-2026-20131 to its Known Exploited Vulnerabilities catalogue and issued a Binding Operational Directive requiring Federal Civilian Executive Branch agencies to apply patches or discontinue use of the affected product by 22 March 2026. The critical flaw in Cisco Secure Firewall Management Center allows unauthenticated remote attackers to execute arbitrary Java code with root privileges via insecure deserialisation of a specially crafted serialised Java object in the web-based management interface. The Interlock ransomware gang has exploited it as a zero-day since late January 2026, targeting high-profile victims including healthcare providers and educational institutions using custom tools and initial access techniques. No workarounds exist. Organisations should apply Cisco’s March updates without delay, monitor for exploitation indicators, restrict management interface exposure, and review logs for suspicious activity.

  • Medusa Ransomware Hits US Healthcare and Local Government Targets - The Medusa ransomware group has claimed attacks on the University of Mississippi Medical Center and Passaic County in New Jersey. The UMMC incident, which began in February, resulted in the closure of 35 clinics, suspension of elective procedures, and nine days of Epic electronic health record downtime, forcing staff to use handwritten charts and divert patients; over 1 TB of patient and employee data was allegedly exfiltrated. Passaic County suffered widespread IT and phone system outages affecting nearly 600,000 residents, with a ransom demand of $800,000. The group continues to employ double-extortion tactics. Healthcare and public sector organisations should maintain offline, immutable backups, implement network segmentation, enable behavioural detection for ransomware precursors, and test incident response plans regularly.

  • Russian Initial Access Broker Sentenced to 81 Months in US Prison - Aleksei Volkov, a 26-year-old Russian national, has been sentenced to 81 months in a US federal prison for operating as an initial access broker. He sold compromised corporate network credentials on underground forums, directly enabling ransomware campaigns that caused millions of dollars in damages to victims worldwide. The case underscores the critical role of access brokers in fuelling the ransomware ecosystem and the success of international law enforcement collaboration. Organisations should strengthen credential hygiene, deploy multi-factor authentication universally, monitor for anomalous access patterns, and consider threat intelligence feeds that track broker activity.

  • Threat Actors Adapt but Remain on Telegram Despite Platform Crackdown - Despite Telegram blocking over 43 million channels in 2025 amid regulatory pressure, cybercriminals have adapted their operations rather than abandoning the platform. Threat actors have evolved coordination methods while retaining Telegram’s advantages for speed, reach, and anonymity, ensuring continued dominance in malware distribution, phishing, and ransomware negotiations. The platform remains a preferred hub for criminal ecosystems in 2026. Security teams should treat Telegram-linked indicators with heightened scrutiny, educate users on associated risks, and integrate platform-specific threat intelligence into detection workflows.

  • Higher Education Institutions Face Unique Identity Security and Management Risks - Universities operate some of the most complex identity environments because of high user turnover, decentralised administration, and intricate Active Directory/Entra ID setups that must balance open academic access with robust protection of sensitive research and student data. These factors create elevated risks of identity-based attacks compared with corporate environments. Experts highlight the need for tailored strategies including automated lifecycle management and continuous monitoring. Higher education organisations should prioritise unified identity platforms, implement just-in-time access controls, conduct regular access reviews, and invest in identity threat detection and response capabilities.

References
Shane Bell
Next

#NSBCS.116 - DFIR at Machine Speed: Why 2026 Threats Demand a New Breed of Incident Response