Financial services entities under APRA’s supervision initially needed to comply with CPS 234 by June 1st 2020, but they have announced revised commencement dates across a number of industry proposals.
APRA-regulated entities have now been given a six-month extension to comply with CPS 234 by January 1st 2021 (available on a case-by-case basis).
What is CPS 234?
The main objective of the standard is to minimise both the likelihood and the impact of information security (IS) incidents on information assets, including those managed by related parties or third parties.
As the financial services regulator, APRA is responsible for ensuring the financial system is stable. More specifically, it wants to make sure that promises are kept – meaning, it wants to give you assurance that:
- Your banked money is safe;
- Insurers can satisfy your claims; and
- Your super fund is well managed.
What effect does CPS 234 have on information security?
CPS 234 is very significant for Information Security (IS) in Australia. By obligating companies to comply with CPS 234, APRA explicitly recognises that for companies to act in a prudent manner in managing your money they must build resilience against IS incidents.
This is especially important when you consider that the average cost of a data breach in Australia is just over $2.5 million. Moreover, The Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Report: January – June 2020 identified that finance is the second highest reporting industry sector, comprising 14% of all breaches. Of that proportion, 59% resulted from malicious attack and 33% from human error.
“The Board of an APRA-regulated entity is ultimately responsible for Information Security.”
APRA addressed this by updating its enforcement strategy, prompted in part by the Royal Commission into misconduct in the Banking, Superannuation and Financial Services Industry. They have a range of formal and non-formal enforcement tools at their disposal.
Non-formal approaches include working in cooperation with companies to identify and rectify problems before they threaten the ability of that company to meet its promises. However, APRA is prepared to take enforcement action when appropriate – including court-based action or directing companies to take or cease particular actions.
They are willing to set public examples to deter unacceptable practices, but generally, their enforcement strategy favours a risk based, deterrence approach.
5 Steps to complying with CPS 234
1. Align CPS 234 With Your Overall Information Security Strategy.
First consider CPS 234 compliance in relation to their overall IS requirements and strategy. APRA has a number of standards and guidelines related to IS, so CPS 234 activities can be considered alongside CPS 220 – risk management requirements, CPS 231 – outsourcing, or CPG 235 – managing data risk.
Next look at your IS statutory, regulations, and contractual obligations. We worked with a financial services company who needed to comply with CPS 234. They were also processing credit card data, and therefore had PCI DSS obligations. In addition, they wanted to become ISO 27001 certified. In tackling these two standards, they could essentially comply with CPS 234. Ensure you consider your requirements, which could include:
- CPS 234.
- The Privacy Act, including the Notifiable Data Breaches amendment.
- PCI DSS.
- ISO 27001.
- ACSC’s ISM (if you are working with Federal Government).
Don’t segment your approach. Security is more than compliance. Consider all that is on your plate, and place CPS 234 activities within this overall context.
If you feel you do not have the necessary processes in place, you might want to conduct a Cybersecurity Review to gauge the scope of exactly what is needed to arrive at your desired state. We can assist you in conducting a Gap Analysis. For more information, please contact us.
2. Ensure Good Governance and Communication of Roles and Responsibilities.
IS governance guides, controls and as specifies an accountability and responsibility framework. Companies need an IS policy framework i.e. policies, standards, guidelines and procedures, to communicate board directives to all relevant parties.
3. Information Asset Identification and Classification
An information asset refers to information and information technology, including hardware, software and data. Assets should be classified by criticality and sensitivity. Classification is a pre-requisite for ensuring security spend is cost-effective and achieving a positive return on your security investment.
This can be a major undertaking. We certainly recommend organisations consider following the CPG 235 guidance in this area as earlier suggested. CPG 235 guidance provides a holistic, risk-based approach in governing how your data is managed.
4. IS Capability; Implementation, Testing and Monitoring of Controls
If you are the CISO of a company managing any of the information assets of a financial services company, expect an IS capability assessment to come your way:
“An APRA-regulated entity must maintain an IS capability commensurate with the size and extent of threats to its information assets. Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party…”
To actively maintain your IS capability within an evolving threat-landscape, you must implement protection controls and regularly test the ongoing effectiveness of these controls. Remember, you know the value, sensitivity and criticality of your information assets, and these controls will be commensurate with the vulnerabilities and threats to these assets.
Control effectiveness needs a systematic testing program, which itself must be reviewed for sufficiency at least annually. Now your internal auditors will review the design and operating effectiveness of controls, but make sure the necessary evidence can be provided.
5. Incident Management
IS was previously heavily focused on defence-in-depth strategies to “defend the perimeter”. This is still necessary, but no longer sufficient. There has been a change in mindset in recent years towards a greater emphasis on incident detection and response, and this is reflected in CPS 234.
The reality today is that a significant data breach at a financial services company is almost certainly a question of when, not if. Major breaches are forcing companies out of business and robust mechanisms must therefore be put in place to detect and respond in a timely manner.
Few organisations really understand their ‘state of readiness’ to respond to a cyber security incident, particularly a serious cyber security attack. CPS 234 states that companies must annually review and test its incident response plans to ensure they remain effective.
We conduct Breach Readiness Assessments and have tiered Incident Response retainers that can be scaled to your business needs. For more information, get in contact with us.
The notifiable data breaches extension to the privacy act came into force in February 2018, whereby companies subject to the Privacy Act are obligated to notify the Information Commissioner and impacted parties of a privacy breach. CPS 234 takes this a step further. Financial services companies must: “notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident.”
This is any incident that compromises the confidentiality, integrity or availability of information assets, not just privacy breaches.