Hero compliance apra

APRA CPS 234 Information Security Compliance

Assess Third Parties to Ensure Business Resilience

The Australian Prudential Regulation Authority (APRA) implemented the CPS 234 regulatory standard in July 2019 in response to the constant threat of cyberattacks targeting financial services organizations.

The CPS 234 standard requires all financial services organizations in Australia to, “take measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”

A key objective of the standard is minimizing the impact of information security incidents on the confidentiality, integrity and availability of assets and data managed by third parties. The Prevalent Third-Party Risk Management Platform helps organizations build and govern their TPRM programs according to APRA requirements.

Relevant Requirements

  • Define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals

  • Maintain an information security capability that enables operational resilience and is commensurate with the scope of threats to its information assets

  • Implement controls to protect its information assets according to their criticality and sensitivity, and systematically test the effectiveness of those controls

  • Notify APRA of material information security incidents

Map TPRM Capabilities to APRA CPS 234 Requirements

Review this checklist to understand key third-party risk management requirements in the CPS 234 Information Security Standard from the Australian Prudential Regulation Authority (APRA).

Read Now
Featured resource apra compliance checklist

Meeting APRA CPS 234 Third-Party Risk Management Requirements

This section maps capabilities in the Prevalent Third-Party Risk Management Platform to select articles in the Australian Prudential Regulation Authority (APRA) CPS 234 Information Security standard.

NOTE: This is a summary of the most relevant articles only, and it should not be considered comprehensive, definitive guidance. For a complete list of articles, please review the complete document in detail and consult your auditor.

Requirements How We Help

Roles and Responsibilities

13. The Board of an APRA-regulated entity (Board) is ultimately responsible for the information security of the entity. The Board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

14. An APRA-regulated entity must clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, risk and compliance programs based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite.

As part of this process, Prevalent can help you define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Risk scoring and thresholds based on your organization’s risk tolerance
  • Assessment and monitoring methodologies based on third-party criticality
  • Fourth-party mapping
  • Sources of continuous monitoring data (cyber, business, reputational, financial)
  • Key performance indicators (KPIs) and key risk indicators (KRIs)
  • Governing policies, standards, systems and processes to protect data
  • Compliance and contractual reporting requirements against service levels
  • Incident response requirements
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

Information Security Capability

15. An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

See Roles and Responsibilities (13 and 14) above.

16. Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets.

Prevalent offers a library of more than 750 pre-built templates for third-party risk assessments. Assessments can be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually).

Assessments are managed centrally in the Prevalent Platform. They are backed by workflow, task management and automated evidence review capabilities to enable visibility into third-party risks throughout the vendor or supplier relationship.

Importantly, Prevalent delivers built-in remediation recommendations based on risk assessment results to ensure that third parties address risks in a timely and satisfactory manner.

For organizations with limited resources and expertise, Prevalent can manage the third-party risk lifecycle on your behalf – from onboarding vendors and collecting evidence, to providing remediation guidance and reporting on contract SLAs. As a result, you reduce vendor risk and simplify compliance without burdening internal staff.

17. An APRA-regulated entity must actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment.

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated with assessment results (noted in item 16 above) and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for thousands of companies around the world

Because not all threats are direct cyberattacks, Prevalent also incorporates data from the following sources to add context into cyber findings:

  • 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
  • A global network of 2 million businesses with 5 years of organizational changes and financial performance, including turnover, profit and loss, shareholder funds, etc.
  • 30,000 global news sources
  • A database containing over 1.8 million politically exposed person profiles
  • Global sanctions lists and over 1,000 global enforcement lists and court filings

Policy Framework

18. An APRA-regulated entity must maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats.

19. An APRA-regulated entity’s information security policy framework must provide direction on the responsibilities of all parties who have an obligation to maintain information security.

The Prevalent Platform features a library of more than 750 pre-built templates for third-party risk assessments, including those that map to leading information security governance frameworks such as ISO.

Reporting enables you to visualize and address compliance requirements by automatically mapping assessment results and data feeds to regulatory requirements and frameworks.
Role-specific views ensure that stakeholders can identify and act on risks, with built-in remediation recommendations.

Information Asset Identification and Classification

20. An APRA-regulated entity must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting an information asset has the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers.

Prevalent enables you to assess and monitor third parties based on the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties (to avoid concentration risk)
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

Implementation of Controls

21. An APRA-regulated entity must have information security controls to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with:

(a) vulnerabilities and threats to the information assets;

(b) the criticality and sensitivity of the information assets;

(c) the stage at which the information assets are within their life-cycle; and

(d) the potential consequences of an information security incident.

Prevalent automates risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.

With a library of 750+ standardized assessments, customization capabilities, and built-in workflow and remediation, the solution automates everything from survey collection and analysis to risk rating and reporting.

With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment.

Results of assessments and continuous monitoring are collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

22. Where an APRA-regulated entity’s information assets are managed by a related party or third party, the APRA-regulated entity must evaluate the design of that party’s information security controls that protects the information assets of the APRA-regulated entity.

The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.

Prevalent experts first review assessment responses, whether from custom or standardized questionnaires. We then map the responses to SIG, SCA, ISO, SOC II, AITECH, and/or other control frameworks. Finally, we work with you to develop remediation plans and track them to completion. With remote options available, Prevalent delivers the expertise to help you reduce risk with your existing resources.

Incident Management

23. An APRA-regulated entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner.

24. An APRA-regulated entity must maintain plans to respond to information security incidents that the entity considers could plausibly occur (information security response plans).

25. An APRA-regulated entity’s information security response plans must include the mechanisms in place for:

(a) managing all relevant stages of an incident, from detection to post-incident review; and

(b) escalation and reporting of information security incidents to the Board, other governing bodies and individuals responsible for information security incident management and oversight, as appropriate.

26. An APRA-regulated entity must annually review and test its information security response plans to ensure they remain effective and fit-for-purpose.

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactively vendor reporting
  • Consolidated views of risk ratings, counts, scores, and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
  • Guidance from built-in remediation recommendations to reduce risk
  • Built-in report templates
  • Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data

Testing Control Effectiveness

27. An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with:

(a) the rate at which the vulnerabilities and threats change;

(b) the criticality and sensitivity of the information asset;

(c) the consequences of an information security incident;

(d) the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies; and

(e) the materiality and frequency of change to information assets.

28. Where an APRA-regulated entity’s information assets are managed by a related party or a third party, and the APRA-regulated entity is reliant on that party’s information security control testing, the APRA-regulated entity must assess whether the nature and frequency of testing of controls in respect of those information assets is commensurate with paragraphs 27(a) to 27€ of this Prudential Standard.

See Implementation of Controls (22), above.

29. An APRA-regulated entity must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.

Prevalent helps you reveal risk trends, third-party risk status, and exceptions to common behavior with embedded machine learning (ML) insights and customizable, role-based report views.

In addition, Prevalent helps to centrally measure third-party KRIs to reduce risks from gaps in vendor oversight by providing a framework to measure against requirements.

With this capability, you can quickly identify outliers that warranting further investigation, get the right data to the right people, and efficiently determine the acceptability of risks.

30. An APRA-regulated entity must ensure that testing is conducted by appropriately skilled and functionally independent specialists.

31. An APRA-regulated entity must review the sufficiency of the testing program at least annually or when there is a material change to information assets or the business environment.

See Implementation of Controls (22) above.

Internal Audit

32. An APRA-regulated entity’s internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties (information security control assurance).

Prevalent standardizes assessments against SOC 2, Cyber Essentials, ISO, and other information security control frameworks, providing internal audit and IT security teams with a central platform for measuring and demonstrating adherence to internal IT controls mandates. These same assessments are also used to assess the information security controls of third parties, delivering a consolidated, inside-out view of information security.

33. An APRA-regulated entity must ensure that the information security control assurance is provided by personnel appropriately skilled in providing such assurance.

See Implementation of Controls (22) above.

34. An APRA-regulated entity’s internal audit function must assess the information security control assurance provided by a related party or third party where:

(a) an information security incident affecting the information assets has the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; and

(b) internal audit intends to rely on the information security control assurance provided by the related party or third party.

The Prevalent Platform includes an automation and rules engine that automatically suggests actions or changes risks scores based on assessment results and external data feeds. With this capability, you can automatically create tasks based on events and assign to owners to track issues to conclusion. This helps accelerate risk reduction timelines.

Prevalent also continuously monitors for cybersecurity, business, reputational, and financial changes that can materially impact a third-party relationship. Results are correlated to third-party assessments for a comprehensive, validated approach to third-party risk management.

ARPA Notification

35. An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that:

(a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or

(b) has been notified to other regulators, either in Australia or other jurisdictions.

36. An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 10 business days, after it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner.

Prevalent reveals risk trends, third-party risk status and exceptions to common behavior with embedded machine learning (ML) insights and customizable report views based on role.

With Prevalent, you can visualize and address compliance requirements by automatically mapping assessment results to regulatory and industry frameworks. You can also produce regulatory-specific reporting in a fraction of the time that is normally devoted to manual, spreadsheet-based risk assessment processes.

Align Your TPRM Program with 14 Industry Standards

Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.

Read Now
Featured resource compliance handbook industry standards
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo