In response to the constant threat of cyberattacks targeting financial services organizations, the Australian Prudential Regulation Authority (APRA) implemented the CPS 234 regulatory standard in July 2019. The standard requires all financial services organizations in Australia to, “take measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”
Specifically, CPS 234 requires organizations to:
A key objective of the standard is minimizing the impact of information security incidents on the confidentiality, integrity and availability of assets and data managed by third parties. This post examines key APRA CPS 234 provisions that govern third-party information security requirements and identifies best practices that you can use to address these requirements.
Map TPRM Capabilities to APRA CPS 234 Requirements
Review this checklist to understand key third-party risk management requirements in the CPS 234 Information Security Standard from the Australian Prudential Regulation Authority (APRA).
The APRA standard is organized into several categories of requirements. We have identified the most applicable to third-party risk management and best practice capabilities that can help meet the requirements.
This category includes provisions that require companies to identify who in their organization is responsible for information security and what functions they perform. It encourages the formation of cross-functional teams to provide proper oversight, and governance from the board of directors.
To ensure that third-party risk management is a key component of an overall information security program, build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, risk and compliance programs based on proven best practices and extensive real-world experience. As part of this governance program, your internal teams should define:
This category includes requirements to regularly assess the information security capability of third parties and continuously monitor threats.
To assist in automating what can be a very cumbersome process, consider:
If you are faced with limited resources and expertise, you can outsource the management of the third-party risk lifecycle – from onboarding vendors and collecting evidence, to providing remediation guidance and reporting on contract SLAs. As a result, you reduce vendor risk and simplify compliance without burdening internal staff.
The Policy Framework category requires companies to maintain a security policy and ensure that internal teams and third parties are aware of it and adhere to it, and that it is regularly evaluated.
Since compliance can be tricky and time-consuming, leverage an assessment methodology that maps to leading information security governance frameworks such as ISO. With this capability, you can visualize and address compliance requirements in the framework that is most applicable to your organization.
This CPS 234 category requires APRA-regulated entities to classify their information assets, including those managed by related parties and third parties, by criticality and sensitivity.
To jump start this process, define a methodology for tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification should include the following attributes:
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
These categories require companies to have information security controls to protect information assets, including those managed by related parties and third parties; that they are commensurate with the risks applicable to the company; that their design is regularly tested; and that deficiencies that cannot be remediated in a timely manner are escalated to the board or senior management.
Start by reviewing third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place. Then, map the responses to common frameworks such as SIG, ISO or SOC 2 to simplify their evaluation and track remediations to completion.
This category requires APRA-regulated entities to have policies and procedures in place to detect and respond to information security incidents in a timely manner, including escalation, reporting, and regular review of policies.
Having a tested and proven incident management process in place is essential for accelerating incident discovery and mitigation. Key steps include centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance.
This APRA CPS 234 category says that internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties (information security control assurance); and that information security control assurance should be provided by personnel appropriately skilled in providing such assurance.
Standardize information security assessments against SOC 2, Cyber Essentials, ISO, or other information security control frameworks. This approach provides internal audit and IT security teams with a central methodology for measuring and demonstrating adherence to internal IT controls. These same assessments are also used to assess the information security controls of third parties, delivering a consolidated, inside-out view of information security.
The final category of the APRA 234 standard requires APRA-regulated entities to notify APRA within 72 hours after becoming aware of a material information security incident, and within 10 business days after it becomes aware of a material information security control weakness that cannot be remediated in a timely manner.
Meeting this requirement is all about producing effective reporting. Machine learning (ML) analytics helps by revealing risk trends, third-party risk status and exceptions to common behavior that might not be obvious with simple spreadsheet-based reports. This level of analytics help you to visualize and address compliance requirements by automatically mapping assessment results to regulatory and industry frameworks, and produce regulatory-specific reporting in a fraction of the time that is normally devoted to manual, spreadsheet-based risk assessment processes.
Prevalent can help your financial services organization add governance and oversight to its third-party relationships by: