Jean-Baptiste Bres

Blog

APRA CPS 234: Are you ready?

The Australian Prudential Regulation Authority (APRA) just published the final version of the Prudential Standard CPS 234 (Information Security), that will be enforceable by 1 July 2019. Have you accessed your readiness? This article reviews the main expectations from the regulator and provides some guidance on how to ensure timely compliance.

The APRA Prudential Standard CPS 234 defines APRA expectations from Financial Institutions around Information Security.

It extends the already existing CPG 234 (Management of Security Risk in Information and Information Technology). While the CPG was a Practice Guide (which act as a guidance), the new document is a Prudential Standard, which requires compliance to be demonstrated by the regulated institution – usually through internal and/or external audits.

The current version is final and is enforceable by 1 July 2019 for internally managed capabilities and by the earlier of renewal of contract or 1 July 2020 for third parties.

As any Prudential Standard, CPS 234 defines high-level minimum standards expected by APRA from the regulated entities. With the exception of some timeframe around reporting to the regulator, most of the requirements can be seen as framework orientations and do not contain details of technical or functional expectations. It remains the responsibility of the regulated entity to define what is an appropriate and to setup the appropriate controls and protections.

In APRA own terms, the capabilities need to the “commensurate with the vulnerabilities and threat to which [the regulated institution’s] information assets are exposed” and “enables the continued, sound operation of the entity”. It is for the regulated entity to what level of risk it is exposed, and what is its appetite to manage it.

The APRA CPS 234 focuses on a few fundamental requirements:
  • having a clear definition of the information-security related roles and responsibilities, especially of the Board, senior management, governing bodies and individuals;
  • maintaining information security capability commensurate with the size and extent of threats, and which enables the continued sound operation of the entity;
  • implementing controls to protect the information assets commensurate with the criticality and sensitivity of those information assets, and ensuring a 3-lines-of-defence (control, test, assurance) is in place; and
  • managing information security incidents and timely notifying APRA if the incident is material.
  • ensuring related parties and third parties are considered and treated commensurate with the risk the parties represent.

Roles and responsibilities

The APRA CPS 234 reinforces the ultimate responsibility of the board for having an adequate Information Security program in place, and insists that the roles of all parties (from the board, to the senior management, governing bodies and individuals) must be clearly defined.

The CPS 234 does not define any expectation level on how the board should be involved within the Security Program, but the intention is clearly to ensure a strong engagement and understanding of the topic by the board members. It will not be enough for board members to be satisfied with a simple statement of compliance or certification. They now should seek evidences around the security program. That could be done though board education, and also by seeking key metrics around security effectiveness and coverage, and ensuring that an efficient and independent 3-lines-of-defences is in place.

Information Security Capability

The Prudential Standard does not define either the expected capabilities required for a proper Information Security practice. It is for the regulated institution to define what specific capabilities are needed and what level of maturity they are expected to be at.
However, the APRA CPS 234 insists on 3 aspects:
  • Understanding the assets: a regulated institution is expected to identify and classify them by sensitivity and criticality.
  • Understanding the threats they are exposed to: having identified its assets, the regulated institution is expected to identify what threats they are exposed to. Due to the constantly changing nature of the threat landscape, a review of the threat exposure should be performed on a regular basis.
  • Ensuring the assets protection is commensurate with the threat: this means that a 1-size-fit-all approach is not an adequate solution for security. The capabilities, controls and skills that composed the Security Capability need to be adapted to each case so the risks are adequately mitigated. It is a clear statement that generic controls (such as generic penetration testing) or single peripherical protections (such as firewall) are not considered as enough, and the overall framework need to cater for the complexity of the environment.

Adequate controls and 3-lines-of-defence

The Prudential Standard describes an adequate level of risk management as a 3-lines-of-defence:
  1. Controls (first line) must be in place to protect information assets. Controls cover technical solutions and human activity that will reduce the risks. They can be automated or part of manual procedures but must remain adequately based on the vulnerabilities and threats faced, the criticality and sensitivity of the assets and the potential consequences if an incident was to occur.
  2. Tests (second line) should be in place to ensure the controls are effective. Tests could be controls of controls (for example checking that patching has been performed as expected) or reviews (for example access reconciliation). What is expected is that the tests are adequate, regular, performed by independent and skilled specialists, and that test failures are reported to senior management or the board.
  3. Assurance (third line) or internal audit must be conducted regularly and include a review of the design and operating effectiveness of the controls. Again, it is expected that these reviews are performed by independent and skilled specialists.

Information Security Incident Management and Escalation

APRA expects regulated institution to have robust information security incident detection and incident response capabilities. That cover all stages of the incident (from detection to post incident review) and escalation. In particular, the CPS 234 now set a clear timeframe (no later than 72h) for reporting the incident to APRA if it materially affects (or has the potential to materially affect) the entity, beneficiaries, customers etc.

In term of incident response, the prudential standard insists that the response plans cannot be generic and must cover the incidents that could possibly happen. For the regulated institution, it means that a good understanding of the threats is in place, and plans for all likely threats must be documented.

The prudential standard also highlights the need for the entity to confirm the plans are effective on an annual basis, which mean that incident exercises are expected to be performed to ensure staff are adequately prepared to answer a real event.

Related and Third Parties

While there is no dedicated section to information security management of third parties, almost every sections of the Prudential Standard states that the requirements defined by APRA for the regulated institutions apply to all third parties (to the extent of the criticality and risk associated to the parties).

APRA requirements are very much aligned to other APRA Prudential Standards – especially as defined in the APRA CPS 231 Outsourcing. Risks cannot be outsourced to 3rd parties, and the regulated institution has an obligation to ensure each provider is applying with the regulated institution policies (and APRA requirements) and is adequately monitored.

The CPS 234 however extends some of the requirements previously covered by other APRA Prudential Standards. The requirements are not limited to 3rd parties critical for the activity but to all parties based on the risk they represent from an Information Security perspective. This means again that a one-size-fit-all approach of 3rd parties might not be sufficient, and rules might need to be defined based on the activity, involvement and asset accessed or managed. APRA also requires a stricter review of their partners and vendors, including through auditing, clearly indicating that a statement of compliance or certification is not enough and evidences need to be gathered and review to ensure the parties are performing as claimed.

Measuring Readiness & Preparing an Action Plan

In order to assist measuring your company readiness, I am offering you a tool - download the Microsoft Excel (xlsx) version or the Opensource Spreadsheet (ods) version – that you are free to use. The tool helps you defining your current compliance level against every requirement and give you an indicative (and absolutely not official) readiness “score”. It also helps you identify your gaps and so prepare a list of actions to remediate them.

For each requirement, you can rate yourself as “Compliant” (meaning you are already ready), “Need development” (some adjustments are required to ensure full compliance; adjustments might be modification of existing processes or minor update of the to reflect a practice already in place but no documented) or “Non-compliant” (capability required does not exist).

While defining your action plan, remember that APRA expectation is compliance by 1 July 2019 for internally managed capabilities and by the earlier of renewal of contract or 1 July 2020 for third parties.