According to the Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, 90 percent of Australian companies report that they receive up to 5,000 cyber threats per day.
For cybercriminals, Australia’s superannuation funds, banks, and insurers make for attractive targets. It is essential that these institutions can protect and secure their data, including the data of their clients and customers, and respond quickly and robustly if a critical cyber attack occurs.
The Evolution of Breaches
Cost of Breaches in Australia
Number of Different Security Vendors in Environment in Australia
Cybercrime is a global issue that can have devastating financial ramifications, however, since the Australian Government’s OAIC launched the Notifiable Data Breaches scheme in February 2018, Australian businesses stand to take greater responsibility of risks and breaches.
To help organisations protect themselves more effectively, the Australian Prudential Regulation Authority (APRA) has created a new prudential standard for information security management.
The finalised standard, known as APRA CPS 234, is designed to ensure APRA-monitored organisations are more resilient to cyber-attacks and can respond quickly should a security breach occur.
“A significant information security breach at an APRA-regulated entity is almost certainly a question of when – not if.
By introducing CPS 234, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face.”
– Geoff Summerhayes (Executive Board Member APRA)
Summerhayes goes on to state that, should the worst case scenario happen and a major breach does occur, it could "force a company out of business".
Due to the level of risk banks, credit unions, life insurance companies, building societies, health insurers, general insurers and members of the superannuation industry that APRA oversees, APRA (which currently supervises institutions holding $6.5 trillion in assets) is fast-tracking the implementation of its new prudential standard CPS 234 and expects all regulated entities to meet its requirements by the 1st of July 2019.
CPS 234 Requires APRA-Regulated Organisations to:
- clearly define information-security related roles and responsibilities;
- maintain an information security capability commensurate with the size and extent of threats to their information assets;
- implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
- promptly notify APRA of material information security incidents.
Monitoring your organisation’s digital assets and protecting critical company and client data is a seemingly endless and never-ending battle — but one that prudent and proactive companies can overcome.
What is CPS 234?
CPS 234 requires that an APRA-regulated entity must take necessary measures to defend itself from cyberattacks and various other information security incidents that concern the confidentiality, integrity and availability of information assets and data — this includes information managed by third party service providers, showing an increased focused by the regulator on the impact of third-party risk.
A key objective of CPS 234 is to reduce the likelihood of an information security incident from occurring.
The new CPS 234 APRA standard has been drafted to ensure the entire industry continue to develop its information security management systems, driving ongoing vigilance, improvements and investments.
As cyber criminals and their programmes become more advanced, so too should Australian cybersecurity systems — and CPS 234 ensures that these businesses continue to develop and maintain their online defences.
“APRA views cyber risk as an increasingly serious prudential threat to Australian financial institutions"
– Geoff Summerhayes (Executive Board Member APRA)
APRA-regulated institutions must go beyond simply following the new standards, they must demonstrate compliance with the new CPS 234 standard across all of its services.
Read our full guide on how to comply with CPS 234.
Why Has APRA Introduced CPS234, With a Particular Focus on Third-Party Risk and Notification of Data Breaches?
UpGuard supports the direction taken by APRA, and it is likely that regulators around the world will take a similar position. We conducted a study on the results of our BreachSight scanner, which showed findings below that support regulatory focus on third-party risk and data breaches:
24% of companies in the ASX200 (48 in total) currently have an open data breach based on a single vector (i.e. type of breach). In our experience, when we search across multiple vectors (multiple types of breaches), we find many more exposures. So this should be interpreted as a minimum risk exposure level.
The majority of these open breaches are the result of poorly secured software development practices including from third-party developers.
The average UpGuard Cyber Security Rating of the ASX200 financial services companies supervised by APRA is just 775 (out of a maximum of 950). This is an indicator that security hygiene at many of these companies is average. For context:
- A rating of 800+ is considered quite good.
- A rating of 900+ is considered very good.
8% of companies in the ASX200 are supervised by APRA, either in banking, insurance or superannuation.
11.5% of companies in the ASX200 are licensed by ASIC to sell financial services.
The Timeline
The new CPS 234 standards are to be met by all APRA-regulated institutions by the 1st of July 2019. With regard to a transition period, a timeline has been for those aspects of the new standard that apply to information assets managed by third parties.
Regulated entities will have until the earlier of the next contract renewal date or until the 1st of July 2020 to ensure third party arrangements comply with the new requirements.
Read our full guide on how to comply with CPS 234.
APRA is fast-tracking implementation of this new standard due to the high level of risk of a major breach occurring, and the severe consequences that could occur due to inaction and complacency.
What are the New CPS 234 Requirements?
As described previously, APRA-regulated institutions will have to adhere and show compliance to the CPS 234 requirement.
APRA-regulated institutions include:
- Banks
- Credit unions
- Building societies
- Insurance and reinsurance companies
- Private health insurers
- Life insurance
- Members of the superannuation industry
The new APRA CPS 234 requirements are, in general, similar to the previously released CPG 234. CPG 234 is something that will be familiar to most people in Australian financial services. It provides a guideline as to what APRA considers to be best practice for certain areas.
However, CPS 234 clearly shows an evolution of thinking at APRA, differing in a few areas and the new requirements are:
1. The Responsibility of the Board
APRA firmly state that the boards need to thoroughly understand their responsibilities when it comes to managing information security risks,
“The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains the information security of its information assets in a manner which is commensurate with the size and extent of threats to those assets, and which enables the continued sound operation of the entity”.
– The Australian Prudential Regulation Authority
The document goes on to state that the entity must also have clearly defined information security roles and responsibilities of the Board and for those in,
“senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.
An APRA-regulated entity’s information security policy framework must provide direction on the responsibilities of all parties who have an obligation to maintain information security.”
– The Australian Prudential Regulation Authority
2. Information Security Capability
Particular attention is also paid to businesses that may be using third parties for the management of information assets. According to the CPS 234 update, APRA-regulated entities will be required to assess the third party’s security capabilities.
“Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets.”
– The Australian Prudential Regulation Authority
The finalised document goes on to state that the entity must,
“actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment.”
– The Australian Prudential Regulation Authority
APRA has also received questions from supervised entities about the risk from fourth parties - i.e. subcontractors to third parties. Their response is that fourth and fifth party monitoring remains the responsibility of the supervised entity.
3. Information Asset Identification and Classification
“An APRA-regulated entity must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity.
This classification must reflect the degree to which an information security incident affecting an information asset has the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers.”
– The Australian Prudential Regulation Authority
4. Implementation of Controls
Third parties come into focus again with this requirement. The finalised document states that an APRA-regulated entity must have, “information security controls to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with:
- vulnerabilities and threats to the information assets;
- the criticality and sensitivity of the information assets;
- the stage at which the information assets are within their life-cycle; and
- the potential consequences of an information security incident.”
If an APRA-regulated entity’s information assets are managed by a third party or a related party, CPS 234 states that the entity, “must evaluate the design of that party’s information security controls that protects the information assets of the APRA-regulated entity.”
5. Incident Management
Responding to information security risks quickly plays another important role in the finalised CPS 234 document. Informing APRA of any potential risks that one of its regulated entities has experienced is a key focus.
“An APRA-regulated entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner. An entity must maintain plans to respond to information security incidents that the entity considers could plausibly occur”
– The Australian Prudential Regulation Authority
These “plans” are known as “information security response plans” and they must include the “mechanisms in place for:
- managing all relevant stages of an incident, from detection to post-incident review;
- and escalation and reporting of information security incidents to the Board, other governing bodies and individuals responsible for information security incident management and oversight, as appropriate.”
Communication and responsiveness is very much the key here. In addition to this, an APRA-related entity must annually review and test its information security response plans to ensure they remain effective.
6. Testing Control Effectiveness
The constantly evolving nature of cybercrime and the methods used, means that organisations cannot afford to get complacent. What may have worked for so long, may not work tomorrow.
To ensure APRA-related businesses are vigilant, CPS 234 requires entities to regularly test the effectiveness of their information security controls through a “systematic testing program”.
The frequency and nature of this systematic testing must, “be commensurate with:
- the rate at which the vulnerabilities and threats change;
- the criticality and sensitivity of the information asset;
- the consequences of an information security incident;
- the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies;
- and the materiality and frequency of change to information assets.
Once again, third parties are subject to closer scrutiny,
“Where an APRA-regulated entity’s information assets are managed by a related party or a third party, and the APRA-regulated entity is reliant on that party’s information security control testing, the APRA-regulated entity must assess whether the nature and frequency of testing of controls in respect of those information assets is commensurate with (a) to (e)”
– The Australian Prudential Regulation Authority
In addition to the above, this section of CPS234 also states that the Board or senior management must be informed of any testing results that, “identify information security control deficiencies that cannot be remediated in a timely manner.”
It is also required that these tests are to be conducted by, “appropriately skilled and functionally independent specialists”. The entity is also required to review the sufficiency of the testing program annually (at a minimum) or when, “there is a material change to information assets or the business environment.”
For further details regarding the new requirements, read the full CPS 234 document.
Breach Notifications
Businesses are to notify APRA of cyber security incidents within 72 hours after they become aware of them. CPS 234 requires businesses to notify APRA within this time period should a threat:
- “materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers;
- has been notified to other regulators, either in Australia or other jurisdictions.”
Initially APRA proposed that the notification timeframe would be 24 hours. APRA comments that the 72 hour timeframe 'will provide regulated entities with appropriate time to properly assess an information security incident and determine how to deal with the issue' and also align with the breach notification regimes of other regulators.
CPS 234 also requires that entities notify APRA within 10 days after becoming aware of information security control weakness which the entity expects will not be able to “remediate in a timely manner.”
What’s to Come?
1st July 2019 is the day that the finalised CPS 234 legislation will come into effect. It is also expected that APRA will update the current PPG (Prudential Practice Guide) CPG 234 Management of Security Risk in Information & Information Technology legislation that has not been updated since May 2013.
What Should Organisations Do?
EAPRA-regulated entity should begin classifying its information assets in regard to their sensitivity and criticality. This process of classifying should take into consideration the effect that a security breach could have on the business, customers, key stakeholders, and other individuals or groups that could be affected.
As we have stated earlier, entities that entrust a third party to manage their information assets must do their due diligence to ensure they are secure.
The CPS 234 requirements will soon become compulsory but the new prudential standard may seem overwhelming to many organisations finding it difficult to comply. UpGuard can help your APRA-regulated organisation to ensure it meets the new fast-approaching security standard – CPS 234.
Read our full guide on how to comply with CPS 234.
Quick Summary: Key Takeaways
CPS 234 key requirements and takeaways:
- The responsibility of the board — The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains the information security of its information assets. APRA has recognised that the boards of its regulated entities need to improve their understanding and management of cyber risk. This will play out in many ways, including changes to board skills assessments and the processes to appoint new directors at APRA-regulated entities.
- Information security capability — Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party. Entities must actively maintain its information security capability and keep their systems up to date to be able to respond to new threats.
- Information asset identification and classification — Information assets are to be classified according to their criticality and sensitivity. Consideration as to how the business, customers, and other individuals may be affected if a breach was to occur should guide the classification process.
- Implementation of controls — Entities must have information security controls in place to protect information assets, including those managed by related parties and third parties.
- Incident management — Rather than waiting for a PR nightmare or worse still, loss of critical customer information, APRA is signalling that financial services companies need to be even more mindful due to their prudential obligations. Entities must have information security response plans in place to be able robustly respond to security threats. These plans must include the mechanisms for managing relevant stages of an incident and escalation and reporting of information security incidents to the Board, other governing bodies and other individuals responsible for information security.
- Testing control effectiveness — Entities must regularly test the effectiveness of their information security controls through a systematic testing program. These tests must also be conducted by “appropriately skilled and functionally independent specialists” and be conducted, at a minimum, annually when there is a material change to information assets or the business environment.
- 72-hour notice period — Businesses are to notify APRA of cyber security incidents within 72 hours after they become aware of them. Entities are also required to notify APRA within 10 days after becoming aware of a material information security control weakness, which the entity expects will not be able to “remediate in a timely manner”.
- 1st July 2019 — CPS 234 will come into effect on the 1st of July 2019.