When Howard brings this up with her client’s suppliers, there’s some difficulty in conceptualising what commensurate actually means.
How third parties can figure it out, she said, is to conduct self-assessments and to think about what potential threats could be faced by the business.
During these discussions, she sees questions about the materiality of risk being brought up. Her answer? Take a look at Prudential Standard CPS 220 Risk Management, which focuses on material risk
“The third party itself should be determining what could impact the confidentiality or integrity of the data that they are processing or storing on behalf of the entity or the availability of those services that they are providing to the entity,” she said.
“It's like looking into a mirror really; on one side the entity will be looking at material risk and then on the other side, the supplier will be looking at exactly what is it that would impact their operations and impact the service to the entity that they are providing the service to.”
Robinson added some examples, such as a contact centre using a CRM system and making sure only the right people can only see VIP customers.
If a third party is managing the infrastructure and networks, then there needs to be appropriate controls around the privileged users. In Robinson’s example, this could take the form of data encryption to prevent external attackers gaining access to the data, or sending it out in an email.
“Can we ensure that only appropriate people can update that information? If it's some configuration data related to interest payments, can someone delete a log that has identified that they changed it and then change it back?” he asked.
“There's ways and means that people can commit fraud or steal information or impact a service. So there's a range of controls available.
“I've just taken through a couple of examples, but it would come back to the business themselves.”
Making the process as smooth as possible
Third party suppliers yet to make the move to adapting to CPS 234 will have just over six months, at the time of writing, to do so.
If these suppliers are at a loss at how to show APRA-regulated entities they’re ready for the deadline, the experts agreed that suppliers can adapt to pre-existing data security compliance codes.
Both Robinson and Howard cited ISO 27001 as a starting point.
“An ISO 27001 certification is broad enough because you can be certified in a very narrow scope, both in terms of the domains within the Information Organisation for Standardisation or the scope within a business,” Robinson said.
In addition to the standards in CPS 234 and ISO 27001, Howard said the US government’s National Institute of Standards and Technology (NIST)’s cybersecurity framework is another guideline suppliers can adapt to.
Regardless of what standards suppliers adhere to, Howard added that it’s important that suppliers do adhere to a standard, as it shows a commitment to data security, and then regularly assess that they are adhering to said standard.
“The outcome of that then is obviously is to show that if there are any gaps identified, processes are in place to remediate against those gaps and any evidence to support that is also maintained and captured,” she said.
“That gives a lot of confidence to the entity, that the supplier themselves know what they need to do, when they need to do it, have identified risks and remediating those risks and gaps and maybe even implementing new controls as well to take that risk to a lower level.”
Howard also reiterated that to make sure that everyone is keeping in check with CPS 234, including board members and senior management.
If suppliers haven’t started taking action towards their responsibilities with CPS 234 soon, they should be doing so quickly, she added.
“I'd be surprised at this stage if a supplier is not aware of the CPS 234, but I think it's a great way of going forward with this to improve the security standards and posture for not only for the corporate entities, but also the suppliers.”