Most CPS 234 obligations came into effect for APRA-regulated entities on 1 July 2019. However, you have until 1 July 2020 (or the next contract renewal date, if earlier), to comply with CPS 234 with respect to any information assets that are managed by third parties.[1]
CPS 234 makes clear that the ultimate responsibility for ensuring this compliance lies with the Board.[2]
Below is a checklist of practical steps that you can take now to ensure compliance by 1 July where you have information assets managed by third parties:
Step 1 – Identify which third parties are involved in managing your information assets, and their roles and responsibilities
In order to determine which third parties your CPS 234 obligations extend to, you will need to identify which third parties are involved in managing your information assets.
CPS 234 requires you to clearly define all information security-related roles and responsibilities, including the role of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.[3] Some of these roles and responsibilities may be performed by third parties. For example, third party suppliers that provide you with managed services or information security testing services. Accordingly, you will need to ensure that such roles and responsibilities have been clearly defined in addition to internal roles and responsibilities.
Step 2 – Ensure all information assets managed by third parties have been identified and classified
CPS 234 requires you to classify all information assets (including those managed by third parties) by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting an asset has the potential to affect you or the interests of depositors, policyholders, beneficiaries or other customers.[4] Even if this has already been done for internally managed assets, you need to now check that it has been done for information assets managed by third parties.
Step 3 – Update your information security policy framework
CPS 234 requires your information security policy framework to be proportionate to your exposure to vulnerabilities and risks, and to provide direction on the responsibilities of all parties who have an obligation to maintain information security, including third party suppliers.[5] Consider now whether any changes are required to your information security policy framework to cater for information assets managed by third parties.
Step 4 – Review supplier information security capability
CPS 234 requires you to assess the information security capability of third parties who manage your information assets, and whether such capability is commensurate with the potential consequences of an information security incident affecting the relevant assets.[6] If you consider a third party’s capability is commensurate, check that you have contractual controls in place to ensure that such capability is maintained by the third party. If you consider its capability is not commensurate, consider what changes the third party will need to make so that its capability is commensurate, and include remediation requirements in the third party contract.
Step 5 – Review supplier information security controls
CPS 234 requires you to have information security controls to protect your information assets (including those managed by third parties) that can be implemented in a timely way and that are commensurate with vulnerabilities and threats to the information assets, the criticality and sensitivity of the assets, the stage at which the assets are within their life-cycles, and the potential consequences of an information security incident.[7]
You need to now review the information security controls of third parties who manage your information assets, and the design of such controls, and consider whether they meet those requirements.[8] If your review reveals the information security controls should be sufficient for those information assets, check that you have contractual controls that require such controls to be maintained. If you consider there are shortfalls in such information security controls, consider what changes are required, and include remediation requirements in the third party contract.
Step 6 – Review supplier incident management processes
CPS 234 requires you to have robust mechanisms to detect and respond in a timely manner to any information security incidents that could plausibly occur, including where those incidents may impact on information assets managed by a third party supplier.[9] Such a response plan must include:
- mechanisms for managing the incident and for the escalation and reporting of incidents to the Board, other governing bodies and individuals responsible for incident management;[10]
- a requirement that APRA is notified as soon as possible and no later than 72 hours after you become aware of any information security incident that materially affected or had the potential to materially affect you or the interests of depositors, policyholders, beneficiaries or other customers, or which has been notified to other regulators (in Australia or otherwise);[11]
- a requirement that APRA is notified as soon as possible and not later than 10 business days after you become aware of a material information security control weakness which you expect will not be able to be remediated in a timely manner;[12] and
- a requirement that it is annually reviewed and tested to ensure that it remains effective and fit-for-purpose.[13]
You need to now review your third party contracts, including any standard terms you use with suppliers, to determine whether they have an incident management and information security control weakness management process that enables you to comply with your response plan and that will enable you to meet the requirements outlined above. Update such contracts, as required, to ensure they comply with your plan (including so that they allow you to share information with APRA, as required).
Step 7 – Review your testing program
CPS 234 requires you to have a systematic testing program to test the effectiveness of your information security controls, including those of third party suppliers. That testing program should be documented and require:
- testing at a nature and frequency commensurate with the rate at which the vulnerabilities and threats change, the criticality and sensitivity of the information assets, the consequences of an incident, the risks associated to environments where you are unable to enforce your information security policies, and the materiality and frequency of change to information assets;[14]
- testing to be undertaken by appropriately skilled and functionally independent specialists; [15]
- escalation and reporting to the Board or senior management of any testing results that identify information security control deficiencies that cannot be remediated in a timely manner;[16] and
- review of the testing program annually and when there is a material change to information assets or the business environment.[17]
Consider whether your testing plan covers third parties and whether your third party contracts permit you to undertake such testing. Where you are reliant on a third party’s security control testing, assess whether such testing is commensurate with the above requirements,[18] and ensure you have a procedure in place for remediation where shortfalls are identified.
Step 8 – Update your internal audit policies
CPS 234 requires your internal audit function to:
- review the design and operating effectiveness of information security controls maintained by third parties;[19] and
- assess the information security control assurance provided by third parties where: (i) an information security incident affecting the information assets managed by them has the potential to materially affect you or the interests of depositors, policyholders, beneficiaries or other customers, financially or otherwise; and (ii) you intend to rely on the information security control assurance provided by them.[20]
You should check whether your third party contracts permit you to undertake such reviews.
Step 9 – Put in place a process for regular review
CPS 234 requires you to actively maintain an information security capability commensurate with the size and extent of threats to your information assets (including those managed by third parties), and which enables your continued sound operation.[21] Any review process you have in place should be kept current and reflective of changing vulnerabilities and threats, including those resulting from changes to information assets managed by third parties or changes in the business environment.[22] You should ensure that your third party contracts allow you to undertake commensurate periodic reviews of the third party’s information security capability.
Step 10 – Vary your supplier contracts, where required
Ensure your contracts with third parties who manage your information assets (including any applicable standard terms you use) are varied as required before 1 July or the next contract renewal date (if earlier).
For further information about your obligations under CPS 234 generally, see CPS 234: 8 things you didn’t know about APRA’s new cybersecurity standard.
[1] CPS 234, paragraph 6.
[2] CPS 234, paragraph 13.
[3] CPS 234, paragraph 14.
[4] CPS 234, paragraph 20.
[5] CPS 234, paragraphs 18 and 19.
[6] CPS 234, paragraph 16.
[7] CPS 234, paragraph 21.
[8] CPS 234, paragraph 22.
[9] CPS 234, paragraphs 23 and 24.
[10] CPS 234, paragraph 25.
[11] CPS 234, paragraph 35.
[12] CPS 234, paragraph 35.
[13] CPS 234, paragraph 36.
[14] CPS 234, paragraph 27.
[15] CPS 234, paragraph 30.
[16] CPS 234, paragraph 29.
[17] CPS 234, paragraph 31.
[18] CPS 234, paragraph 28.
[19] CPS 234, paragraph 32.
[20] CPS 234, paragraph 34.
[21] CPS 234, paragraph 15.
[22] CPS 234, paragraph 17.
Visit Smart Counsel