Why financial sector suppliers need to act on APRA's new infosec standard

How this standard targeting APRA-regulated entities could affect your business

Service providers that work with entities regulated by the Australian Prudential Regulatory Authority (APRA) need to adhere to the information security-related Prudential Standard CPS 234 by 1 July 2020. We ask some experts what it is and how enterprises can get ready for it.

What is CPS 234?

CPS 234 is an APRA prudential standard aimed at making sure that APRA-regulated entities are adequately prepared to protect themselves against information security incidents, including cyber attacks, to maintain information security capability commensurate with information security vulnerability and threats.

According to the text of CPS 234: 

A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.

The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.

Currently, this is applicable only for authorised deposit-taking institutions (ADIs), such as banks, general insurers, life companies, private health insurers or registrable superannuation entity licencees.

However, from 1 July 2020, this standard will also impact third party suppliers to these APRA-regulated businesses – a group that includes vendors and channel partners.

Breaking this down, Lani Refiti, partner, smart cities leader and cyber risk advisory at Deloitte Asia Pacific, explained it as a mandatory regulation for the bodies that APRA regulates, mandating certain cybersecurity requirements.

Anthony Robinson, partner for cyber security at consulting firm EY sees CPS 234 as principle-based regulation, outlining an approach to the appropriate management of information security risk, how businesses can best structure their investments and controls and how to get assurance around the operating effectiveness of those controls.

Meanwhile Joss Howard, cyber security senior advisor at cyber security consulting firm and Splunk partner NCC Group, summed up the standard as being about how entities will address cyber threats and risks to its operations.

A commonality across each of the three experts’ statements was the fact that there is no specific measures the third parties have to use – it’s all up to the interpretation of the third party.

How are third parties expected to be impacted by CPS 234?

According to the text of CPS 234:

Where an APRA-regulated entity’s information assets are managed by a third party, the requirements in this Prudential Standard will apply in relation to those information assets from the earlier of the next renewal date of the contract with the third party or 1 July 2020.

Refiti predicted that the requirement of testing their own supply chain will fall upon the shoulders of third parties, and that it would be “impossible” for an organisation to do this by itself.

“What you'll normally do is you'll try and prioritise in terms of what’s most important via risk assessment, and then you will try and push down the regulations down, so you can have your supply chain expend the dollars to provide security and then make sure that they report back to you in an accurate manner,” he said.

Robinson reiterated Refiti’s sentiments, stating that no matter the function of the third party, their actions are representative of that of the APRA-regulated entity.

“APRA's perspective is very clear through CPS 234: the organisation is responsible for those controls operating effectively, whether they operate them or whether a third party operates them,” Robinson said.

“So, just because they have an outsource function or a service provider who is operating those controls, ultimately, they're only doing it on behalf of the business.”

Read more on the next page...

Page Break

Who is likely to be included in “information security roles and responsibilities”?

According to the text of CPS 234:

An APRA-regulated entity must clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.

While the whole of CPS 234 isn’t relevant to third parties, according to Refiti, the third parties involved with oversight of the information security capabilities of APRA-regulated entities will still be included.

However, Robinson added that there needs to be a distinction between general service providers and specific service providers that a responsible for the control of key information assets.

“In that third party space, that distinction between the general third party and specific service provider who is operating controls on behalf of the regulated entity, their requirement is different and therefore the role and the responsibility that they have will be different,” he said.

For those general third parties, he said it would be best for these businesses to prove their competency, like being compliant with the International Organisation for Standardisation 27001 which outlines a general standard for information security management systems.

Meanwhile, the specific third parties, like data processors should be able to assure the APRA-regulated entity that the business is operating effectively. The additional time to the deadline of 1 July 2020 can give these businesses time to update contracts to be able to ensure efficiency.

“They may need additional clauses in there to require that service provider to provide that evidence.  This can be done through SOC 2 reports, which are service organisation control reports, or through the actual auditing and testing of those controls, by either the entity itself or a partner of that entity to give specific assurance that those controls are operating effectively,” Robinson said.

Howard added that even if the third party is acting as an information security management system, it should have its own information security management system, including its own policies and procedures.

This could include an information security manager, a chief information security officer and established information and/or cyber security teams with their own roles and responsibilities well defined.

“Similarly, you will have those in IT or information teams engaging with the risk management teams and similarly be engaging with the board or senior management level.”

However, to put exact numbers on who should be involved is difficult, in Howard’s words, or as Refiti puts it, it’s “like how long is a piece of string”.

Figuring out “commensurate”

According to the text of CPS 234:

Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets.

For Refiti, it comes down to the dollar mark of protection versus what you’re protecting.

“Basically what they're saying is they want you to take a risk-based approach. So, they want you to have tested the risks to your organisation, identify your high priority assets,” he said.

“And then, the security controls that you apply to that need to be commensurate based on that assessment.

“If I do a risk assessment, I only have, let's say, a million dollars’ worth of worth of assets. I'm not going to be expanding $10 million to protect those assets. So, my spend will be commensurate to what I'm actually protecting.”

Read more on the next page... 

Page Break

When Howard brings this up with her client’s suppliers, there’s some difficulty in conceptualising what commensurate actually means.

How third parties can figure it out, she said, is to conduct self-assessments and to think about what potential threats could be faced by the business.

During these discussions, she sees questions about the materiality of risk being brought up. Her answer? Take a look at Prudential Standard CPS 220 Risk Management, which focuses on material risk

“The third party itself should be determining what could impact the confidentiality or integrity of the data that they are processing or storing on behalf of the entity or the availability of those services that they are providing to the entity,” she said.

“It's like looking into a mirror really; on one side the entity will be looking at material risk and then on the other side, the supplier will be looking at exactly what is it that would impact their operations and impact the service to the entity that they are providing the service to.”

Robinson added some examples, such as a contact centre using a CRM system and making sure only the right people can only see VIP customers.

If a third party is managing the infrastructure and networks, then there needs to be appropriate controls around the privileged users. In Robinson’s example, this could take the form of data encryption to prevent external attackers gaining access to the data, or sending it out in an email.

“Can we ensure that only appropriate people can update that information? If it's some configuration data related to interest payments, can someone delete a log that has identified that they changed it and then change it back?” he asked.

“There's ways and means that people can commit fraud or steal information or impact a service. So there's a range of controls available.

“I've just taken through a couple of examples, but it would come back to the business themselves.”

Making the process as smooth as possible

Third party suppliers yet to make the move to adapting to CPS 234 will have just over six months, at the time of writing, to do so.

If these suppliers are at a loss at how to show APRA-regulated entities they’re ready for the deadline, the experts agreed that suppliers can adapt to pre-existing data security compliance codes.

Both Robinson and Howard cited ISO 27001 as a starting point.

“An ISO 27001 certification is broad enough because you can be certified in a very narrow scope, both in terms of the domains within the Information Organisation for Standardisation or the scope within a business,” Robinson said.

In addition to the standards in CPS 234 and ISO 27001, Howard said the US government’s National Institute of Standards and Technology (NIST)’s cybersecurity framework is another guideline suppliers can adapt to.

Regardless of what standards suppliers adhere to, Howard added that it’s important that suppliers do adhere to a standard, as it shows a commitment to data security, and then regularly assess that they are adhering to said standard.

“The outcome of that then is obviously is to show that if there are any gaps identified, processes are in place to remediate against those gaps and any evidence to support that is also maintained and captured,” she said.

“That gives a lot of confidence to the entity, that the supplier themselves know what they need to do, when they need to do it, have identified risks and remediating those risks and gaps and maybe even implementing new controls as well to take that risk to a lower level.”

Howard also reiterated that to make sure that everyone is keeping in check with CPS 234, including board members and senior management.

If suppliers haven’t started taking action towards their responsibilities with CPS 234 soon, they should be doing so quickly, she added.

“I'd be surprised at this stage if a supplier is not aware of the CPS 234, but I think it's a great way of going forward with this to improve the security standards and posture for not only for the corporate entities, but also the suppliers.”