What is CPS 234?
APRA has issued mandatory information security regulations under prudential standard CPS 234. The financial services institutions that are supervised by APRA need to act now, if they have not already done so, to comply with these requirements.
The main objective of the standard is to minimise both the likelihood and the impact of information security incidents on information assets. Importantly, this includes assets managed by related parties or third parties.
APRA, as the financial services regulator, wants to ensure that the financial system is stable. More specifically, it wants to make sure that promises are kept. What does this mean? It wants to give you assurance that:
- Your banked money is safe
- Insurers can satisfy your claims
- Your super fund is well managed.
As the prudential regulator, by obligating companies to comply with CPS 234, APRA explicitly recognises that for companies to act in a prudent manner in managing your money, this must include building resilience against information security incidents.
This is very significant for Information Security in Australia. Especially so when you consider that the average cost of a data breach in Australia is $2.5 million and around 26% of cyber-attacks are directed at the financial services industry.
When do I need to comply?
CPS 234 commenced on 1 July 2019. The time is now!
However, where a company's information assets are managed by third party service providers via offshoring or outsourcing arrangements, they have until the next contract renewal date to comply, or 1 July 2020, whichever is earliest.
CPS 234 explicitly states that "The Board of an APRA-regulated entity is ultimately responsible for Information Security."
APRA has recently updated its enforcement strategy, prompted in part by the Royal Commission into misconduct in the Banking, Superannuation and Financial Services Industry. They have a range of formal and non-formal enforcement tools at their disposal.
Non-formal approaches include working in cooperation with companies to identify and rectify problems before they threaten the ability of that company to meet its promises. However, APRA is prepared to take enforcement action when appropriate - including court-based action, or directing companies to take or cease particular actions.
APRA is willing to set public examples to deter unacceptable practices, but generally, their enforcement strategy favours a risk based, deterrence approach.
Step 1: Aligning CPS 234 with your overall Information Security Strategy
Before jumping straight in all guns blazing, it makes sense for organisations to take stock and consider CPS 234 compliance in relation to their overall Information Security (IS) requirements and strategy. Think of it like painting a house. if you're going to paint the bedrooms, you better make sure the colour scheme doesn't clash with the hallway, and if you're going to paint the back room the same colour, you may want to do both jobs together.
Firstly, APRA has a number of standards and guidelines related to information security, so CPS 234 activities can be considered alongside CPS 220 - Risk Management requirements, CPS 231 - Outsourcing, or CPG 235 - Managing Data Risk.
Next, consider your overall Information Security statutory, regulations, and contractual obligations. For example, at Content Security we're working with a financial services company who needs to comply with CPS 234. They also process credit card data - so have PCI DSS obligations, and they want to become ISO 27001 certified - the international ISMS standard. In tackling ISO 27001 and PCI DSS, they will essentially comply with CPS 234.
So, ensure you consider your requirements, which could include: CPS 234, The Privacy Act including the Notifiable Data Breaches amendment, SOC 2, PCI DSS, ISO 27001, or the ACSC's ISM if you are working with Federal Government.
Lastly, don't consider your compliance requirements in isolation from your other Information Security requirements. Security is more than compliance. What about Enterprise Data Governance and Architecture efforts in readiness for the open banking regime, for example?
Consider all that's on your plate so to speak, and place CPS-234 activities within this overall context.
Many companies will have some of the pieces of the jigsaw in place, and others not, so you might want to conduct a Cyber Security Review or Data Governance Review, perhaps a gap analysis, to gain a clear picture and scope of exactly what is needed to arrive at your desired state.
Step 2: Ensuring you have good governance and communicating roles and responsibilities
Nothing of major significance will be achieved without good governance.
Information security governance directs and controls information security. It specifies the accountability and responsibility framework. Without good governance, you're like a ship on open waters without a rudder - even if you're clear on where you want to go, you've little chance of getting there.
As mentioned earlier, CPS 234 explicitly states that "The Board of an APRA regulated entity is ultimately responsible for Information Security."
Companies need an information security policy framework i.e. policies, standards, guidelines and procedures, to communicate board directives to all relevant parties.
Step 3: Information asset identification and classification
For APRA, an information asset means information and information technology, including hardware software and data. This classification includes information assets managed by related parties and third parties.
Assets should be classified by criticality and sensitivity. Classifying your information assets is a pre-requisite for developing risk mitigation controls that are proportional to the level of risk i.e. ensuring security spend is cost effective and you achieve a postive return on your security investment.
Aligning and integrating your CPS-234 compliance activities with your overall IS strategy is an important pre-requisite. This is probably the most important step. Good governance with well-defined roles and responsibilities is always crucial.
Information asset identification and classification is central, and can be a major undertaking. I would certainly recommend organisations consider following the CPG 235 guidance in this area as earlier suggested. CPG 235 guidance provides an holistic, risk-based approach in governing how your data is managed.
Step 4: IS Capability; Implementation, testing and monitoring of controls
Directly from the standard:
- "An APRA-regulated entity must maintain an IS capability commensurate with the size and extent of threats to its information assets."
- "Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party."
So, if you are the CISO of a company managing any of the information assets of a financial services company, expect an information security capability assessment to come your way.
You also need to consider the threats relevant to financial services, and their degree of relevance to your particular business environment and to your particular information assets.
To actively maintain your information security capability within an ever-changing environment and evolving threat-landscape, you must implement protection controls and regularly test the ongoing effectiveness of these controls. Remember, you know the value, sensitivity and criticality of your information assets, and these controls will be commensurate with the vulnerabilities and threats to these assets.
Control effectiveness needs a systematic testing program, which itself must be reviewed for sufficiency at least annually. Now your internal auditors will review the design and operating effectiveness of controls.
So, after pouring your life and soul into controls design, and being supremely confident that your controls house is in order, remember, your auditor can't see your halo from where they're standing. So ensure the necessary evidence can be provided. In God we trust, all others must bring data!
Step 5: Incident management
Information Security was previously heavily focused on defence-in-depth strategies to "defend the perimeter". This is still necessary, but no longer sufficient. There has been a change in mindset in recent years towards a greater emphasis on incident detection and response, and this is reflected in CPS 234. The reality today is that a significant information security breach at a financial services company is almost certainly a question of when, not if. Major breaches are forcing companies out of business. We mentioned earlier that the average cost of a data breach in Australia is $2.5 million. Companies have been hacked and their data exfiltrated over extended periods, all under the radar of the victim companies. So, companies must have robust mechanisms in place to detect and respond to information security incidents in a timely manner.
Few organisations really understand their ‘state of readiness’ to respond to a cyber security incident, particularly a serious cyber security attack. CPS 234 states companies must annually review and test its information security response plans to ensure they remain effective and fit-for-purpose.
The notifiable data breaches extension to the privacy act came into force in February last year, whereby companies subject to the Privacy Act are obligated to notify the Information Commissioner and impacted parties of a privacy breach. CPS 234 takes this a step further. Financial services companies must "notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident". This is any incident that compromises the confidentiality, integrity or availability of information assets, not just privacy breaches.
Summary of the points
- Step 1: Align CPS 234 with your overall information security strategy
- Step 2: Ensure you have good governance…defined and communicated information security roles and responsibilities, and an information security policy framework to communicate Board directives to all relevant parties.
- Step 3: Identify and classify your information assets
- Step 4: Maintain an Information Security capability commensurate with the size and extent of threats to information assets; regularly test the ongoing effectiveness of protection controls.
- Step 5: Incident Management: not only build robust mechanisms to detect and respond to information security incidents, but annually review and test response plans.