Complying With APRA CPS 234 Third-Party Requirements

Financial services across the world are typically common targets for cyberattacks, data breaches, and other third-party cyber incidents. To protect organisations and individuals from these growing threats, regulators such as the Australian Prudential Regulation Authority (APRA) have issued standards on information security practices that can be built into third-party risk management (TPRM) programs.

In 2019, APRA implemented Prudential Standard CPS 234 Information Security (CPS 234), which aims to keep regulated industries resilient against cybersecurity incidents. These APRA-regulated industries include organisations such as foreign and domestic authorised deposit-taking institutions (ADIs), domestic and Category C general insurers, life companies, and private health insurers.

CPS 234 offers a straightforward list of requirements on defining roles and responsibilities, maintaining information security capabilities, testing a control’s effectiveness, and more. Here’s an overview of those requirements and some practical tips that can help your organisation’s TPRM program comply with APRA’s standards.

Note: Text taken directly from CPS 234 is noted in italics.

APRA CPS 234 Information Security Third-Party Requirements

One of the main objectives of CPS 234 is to reduce the likelihood and impact of security incidents involving information assets managed by related parties or third parties. Information assets refer to information and information technology, including software, hardware and data (both soft and hard copy). 

The following third-party requirements from the standard are intended to protect the confidentiality, integrity, and availability (CIA) of information assets:

• Assessing information security capabilities – Organisations must determine whether their third parties have the resources, skills, and controls needed to protect their information. Working with a third party that has unskilled workers or insufficient resources to mitigate cybersecurity risk could increase the likelihood of an incident that negatively impacts your organisation.
• Implementing security controls – An organisation’s information assets must be protected by controls, even when those assets are managed by a third party. These controls should be appropriate for the potential vulnerabilities and threats that exist, as well as the assets’ criticality and consequences of an incident. 
• Evaluating controls – A third party’s controls must be evaluated by the APRA-regulated entity to ensure they’re designed well and operate effectively. Security controls that are inadequate or non-functional aren’t capable of protecting information assets. 
• Reviewing control testing – Organisations must also evaluate whether their third party is testing their controls at an appropriate frequency. For example, consider a third party’s incident response plan that hasn’t been tested in over two years. The third party may have implemented a new system or process since the last test, making their plan ineffective. 

4 Tips to Comply With APRA CPS 234 Third-Party Requirements

Understanding how to comply with CPS 234 can seem overwhelming, especially if your organisation has limited TPRM resources and expertise. Fortunately, CPS 234 compliance can be simple to achieve by following some best practices that are foundational to TPRM. 

Here are 4 tips to consider:

1. Complete an inherent risk assessment – Before you can begin implementing the CPS 234 standards, you’ll need to know which of your third parties have access to your information assets. An inherent risk assessment is one of the first steps within the onboarding stage of the TPRM lifecycle, but should also be reviewed periodically throughout the third-party relationship. This is typically a questionnaire completed internally by the vendor owner, which will identify the inherent risk and criticality of each third-party relationship. Third parties that have access to or store information assets are generally rated as high risk.
   
   Pro Tip: Criticality is separate from a risk rating. It determines the business impact on your organisation if a third party’s product or service were to suddenly stop or cease to exist. 
   
   If the answer is "yes" to any of the following questions, you're likely dealing with a critical third party:
   
   • Would our operations be significantly disrupted if we suddenly lost this third party?
   • Would our customers be impacted if we suddenly lost this third party?
   • Would our operations be significantly disrupted if the third party’s service was down for more than 24 hours?
2. Include information security in due diligence – It’s essential to collect and review relevant information security documents throughout the due diligence process to better understand your third party’s capabilities of protecting your information assets. Consider which documents you may want to review to assess their capabilities around preventing, detecting, and responding to an incident. 
   
   Some examples may include evidence of regular vulnerability, penetration, and social engineering testing and results. The third party’s encryption standards and data retention/destruction policies are also helpful to review, as well as a documented and tested incident response plan.
3. Assess third-party information security controls – Engage a qualified subject matter expert (SME) to assess the third party’s information security controls for effectiveness. For example, a SME may assess specific incident detection controls, such as firewalls, anti-malware, or patch management practices, to ensure they’re working as they should. The SME should document whether any controls are ineffective or missing, as well as any recommendations on moving forward or declining the third-party relationship.  
4. Review third-party control testing – Certain information security controls like incident response plans must also be tested regularly to ensure they remain effective in the event of new or changing risks. Information security threats are continuously evolving and becoming more sophisticated, so it’s essential that organisations and their third parties are prepared to respond. CPS 234 states that regulated entities must review testing at least annually or when there is a material change to information assets or the business environment. Organisations should report to the board of directors if testing results reveal any issues that can’t be remediated in a timely manner.

As organisations continue to rely on third parties to manage information assets, it’s important to recognise the risks and implement practices to strengthen operational resilience against security incidents. CPS 234 offers a strong foundation for developing an effective cybersecurity program that includes third-party relationships.