In March 2018, APRA reacted to the increasing threat of cyber attacks with releasing the first draft of a prudential standard CPS 234 on Information Security. The new standard aims at increasing the cyber attack defence capabilities of APRA regulated entities and their timely, effective response strategies.
Basis for the prudential standard is the Prudential Practice Guide CPG 234: “Management of Security Risk in Information and Information Technology” and was already published in May 2013. While this guide was released a while ago, it outlines guidance on APRA’s expectation of best practices, i.e. it was not a regulatory standard. Therefore, a complete implementation in an organisation may not have been considered to be mandatory at that time.
With the Draft of the Prudential Standard CPS 234 on Information Security this changes. Regulated financial institutions are expected to be compliant with all requirements after it becomes effective on 1st of July 2019. The consultation for the CPS 234 closed on 7th of June 2018.
Similar to APRA’s other risk management standards, it outlines key principles which a regulated organisation needs to establish firm-wide and be able to demonstrate to the regulator, i.e. appropriate evidences need to be created and managed over time. Main key principles cover:
- Information Asset Identification and Classification
- Information Security Capabilities
- Roles & Responsibilities
- Policy Framework
- Control Framework and Incident Management
- Testing Program
- Internal Audit
- APRA Notification
1) Information Asset Identification and Classification
The methodology for classifying Information Assets in the organisation needs to be reviewed and potentially updated to comply with requirements of CPS 234. Classification should be based on sensitivity and criticality of the Information Asset and applied consistently throughout the organisation. Underlying assumption is that all relevant Information Assets have been identified already.
2) Information Security Capabilities
According to the standard on Information Security a regulated entity needs to establish and maintain information security management capabilities to ensure sound and continued operation of the organisation. APRA defines these capabilities as the sum of all resources, skill and controls.
3) Roles & Responsibilities
The draft standard places final responsibility for Information Security Management with the board. Cascading from that, roles and responsibilities need to be defined for senior management, governing bodies and individuals. Additionally, responsibilities of the 1st and 2nd line of defence need to be clarified.
A clearly defined governance model implies also a sound monitoring and reporting framework with different aggregation levels for all involved parties.
4) Policy Framework
An organisation needs to create and maintain a policy framework which reflects management of identified vulnerabilities and threat scenarios. The policy framework also needs to comprise a clear description of the roles & responsibilities (see principle 3).
5) Control Framework and Incident Management
In order to ensure that information security incidents are detected, appropriate controls need to be designed and established.
For designing effective controls, vulnerabilities need to be identified and expected threats scenarios created. Both should be matched against respective Information Assets and their classification. Information Assets, vulnerabilities and threat scenarios must be updated continuously taking into account latest technological advancements and changes to the threat environment.
6) Testing Program
In order to ensure that established controls work effectively, a testing program needs to be designed and executed. Nature and frequency of the program depend strongly on the changing threat environment, classification of the Information Assets, expected impact of incidents and risks associated with the exposure to untrusted environments.
Identified control deficiencies must be reported to the Board if they cannot be remediated in a timely manner. The testing program itself needs to be reviewed if:
- classification of Information Assets changes;
- the business environment evolves in any material way;
- annually at a minimum.
7) Internal Audit
To ensure that the entire information security framework works as intended, Internal Audit is required to conduct reviews on the design and effectiveness of controls.
8) APRA Notification
Material incidents need to be communicated to APRA as soon as possible but latest within 24h of the incident. Weaknesses in the Information Security controls must be communicated within five business days if these weaknesses cannot be remediated in a timely manner.
Impact on the Risk Management Environment
While the new standard outlines requirements for managing Information Assets, it needs to be considered in the wider APRA prudential framework focussing on risk management. These include CPS 220 on Risk Management, CPS 231 on Outsourcing and CPS 232 on Business Continuity Management.
CPS 220 on Risk Management is impacted, since risk appetite statement, risk management statement, accountability & governance, business plan and the internal information flow needs to be reviewed and potentially adapted to reflect the risk appetite for Information Security.
CPS 231 on Outsourcing is impacted, since Information Assets may also be managed by related or 3rd parties. That requires
- review and potential update of the materiality assessment methodology
- alignment of governance, policy, controls and testing
- review and update of contracts with related and 3rd parties
- incorporation of Information Assets into the service provision monitoring and reporting framework
- enhancement of the outsourcing inventory reflecting information security requirements
- alignment of APRA notifications process
APRA broadens the scope to related or 3rd parties which manage Information Assets of the organisation but were not captured by the CPS 231 framework. Information security control design and effectiveness of these providers needs to be assessed.
CPS 232 on Business Continuity Management is also impacted as it states that business continuity needs to be ensured for normal in-house operations and outsourced business activities. Therefore, special attention should be paid to processing, storage and access to Information Assets in case of a disruption. Appropriate measures and activities should be reflected in respective assessments, recovery strategies, controls and testing plans.
Implementation Challenges & Next Steps
In order to ensure sustainability and consistent security of Information Assets a full integration of CPS 234 into the organisation’s risk & compliance management framework is required. The integration must cover business lines as well as supporting function such as IT.
One of the success factors will be to allocate the right resources to lead such an integration program. A combination of skills and competence is required spanning risk & compliance management, information security management and sound outcome-oriented program management.
Another success factor will be to consider the wider picture in case the organisation has an international footprint. In that case other regulatory requirements need to be taken into account and a sustainable framework established which applies to the maximum number of locations. Among others, benefits will be cost reduction, elimination of responsibility cross-overs and unclear Information Asset handling.
While the consultation phase has just finished, proactively an organisation could
- Include CPS 234 in the program portfolio
- Identify appropriate program resources
- Assess the current risk & compliance management frameworks with regards to Information Security
- Determine required changes to be updated with final requirements
After release of the final version of CPS 234 the implementation can be started. Target date of compliance is the 1st of July 2019.
 Source: Prudential Standard CPS 234 Information Security as of March 2018
 The question arises why these providers were not captured by the CPS 231 framework and whether they should be captured in future.