Service providers that work with entities regulated by the Australian Prudential Regulatory Authority (APRA) need to adhere to the information security-related Prudential Standard CPS 234 by 1 July 2020. We ask some experts what it is and how enterprises can get ready for it.
What is CPS 234?
CPS 234 is an APRA prudential standard aimed at making sure that APRA-regulated entities are adequately prepared to protect themselves against information security incidents, including cyber attacks, to maintain information security capability commensurate with information security vulnerability and threats.
According to the text of CPS 234:
A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.
The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.
Currently, this is applicable only for authorised deposit-taking institutions (ADIs), such as banks, general insurers, life companies, private health insurers or registrable superannuation entity licencees.
However, from 1 July 2020, this standard will also impact third party suppliers to these APRA-regulated businesses – a group that includes vendors and channel partners.
Breaking this down, Lani Refiti, partner, smart cities leader and cyber risk advisory at Deloitte Asia Pacific, explained it as a mandatory regulation for the bodies that APRA regulates, mandating certain cybersecurity requirements.
Anthony Robinson, partner for cyber security at consulting firm EY sees CPS 234 as principle-based regulation, outlining an approach to the appropriate management of information security risk, how businesses can best structure their investments and controls and how to get assurance around the operating effectiveness of those controls.
Meanwhile Joss Howard, cyber security senior advisor at cyber security consulting firm and Splunk partner NCC Group, summed up the standard as being about how entities will address cyber threats and risks to its operations.
A commonality across each of the three experts’ statements was the fact that there is no specific measures the third parties have to use – it’s all up to the interpretation of the third party.
How are third parties expected to be impacted by CPS 234?
According to the text of CPS 234:
Where an APRA-regulated entity’s information assets are managed by a third party, the requirements in this Prudential Standard will apply in relation to those information assets from the earlier of the next renewal date of the contract with the third party or 1 July 2020.
Refiti predicted that the requirement of testing their own supply chain will fall upon the shoulders of third parties, and that it would be “impossible” for an organisation to do this by itself.
“What you'll normally do is you'll try and prioritise in terms of what’s most important via risk assessment, and then you will try and push down the regulations down, so you can have your supply chain expend the dollars to provide security and then make sure that they report back to you in an accurate manner,” he said.
Robinson reiterated Refiti’s sentiments, stating that no matter the function of the third party, their actions are representative of that of the APRA-regulated entity.
“APRA's perspective is very clear through CPS 234: the organisation is responsible for those controls operating effectively, whether they operate them or whether a third party operates them,” Robinson said.
“So, just because they have an outsource function or a service provider who is operating those controls, ultimately, they're only doing it on behalf of the business.”
Read more on the next page...