The Australian Prudential Regulation Authority’s (APRA) Cross-Industry Prudential Standard (CPS) 234 aims to improve resilience against security incidents. CPS 234 commenced on 1 July 2019, although where an APRA-regulated entity’s information assets are managed by a third party, the requirements will apply on 1 July 2020 (or the renewal date of the contract if it falls before then).
Although CPS 234 has now come into effect, it appears many organisations are still trying to get to grips with what is required of them, and how to implement security improvements. At Pitcher Partners Melbourne’s recent executive luncheon, experienced CTOs, business leaders and board members discussed how organisations can take steps to show they are on track to comply with CPS 234, and improve their data security.
Read their highlights below if you and your organisation need support, or get in touch with a Pitcher Partners expert for a discussion as to how we can help you.
The key requirements of CPS 234
APRA outlines the key requirements of CPS 234 as the following:
- Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
- Maintain an information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity;
- Implement controls to protect information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
- Notify APRA of material information security incidents.
Data? What data?
A challenge for many organisations is not only tracking information internally, but understanding how and where their third parties, including cloud services, are storing their data. Your organisation has an obligation to reveal any data breaches to the regulator. This can only be achieved if you know where your data resides. It may also require contractual clauses with third parties to ensure they protect your data appropriately and reveal any breaches to you.
A super fund accidentally sends out a message to 100 entities within the super industry. The message is correct, but the list of entities is not and the message is not intended for them. The people whose data was released do not know that their data has been shared with an incorrect party.
According to the Privacy Act this is not a notifiable data breach because the data stays within the super system, even though the information has gone to the wrong entities. It is however not clear how the receiving entities store or process the data internally, making it impossible to guarantee the data is deleted.
Greater accountability for boards
Boards are always interested in issues that can create a potential reputational risk. This is particularly so for security breaches, given that individual board members can now be held personally accountable, and can be removed by the regulator, for security breaches under CPS 234. Many boards are however still grappling with the implications of cyber security.
As a start, boards could assess their current state of readiness to prevent, or deal with, a data breach. ‘War games’ involves running a number of scenarios to test the effectiveness of structures and processes. Boards who have undertaken these tests find their field of view changes, and they realise what is working and what isn’t.
In addition, boards need to determine what constitutes an acceptable risk. Anecdotally, it appears that the actual process of defining ‘risk appetite’ is the first hurdle facing the board. Risk may not be easily quantifiable and will depend on the organisational strategy and circumstances. Personal biases also need to be taken into account: people evaluate risk asymmetrically, assigning familiar issues with a lower level of risk, when in fact this may not logically be the case.
Getting the right security staff
There has been a noted increase in companies hiring security staff to get the right structures, processes and systems in place. The core of the work is to determine what data exists and secure it appropriately. However, the challenge lies in finding technical staff with an eye for strategic detail, and an ability to make a risk-based judgement in certain cases.
Becoming compliant with CPS 234 can be a labour-intensive task. Both large and small organisations will incur the same levels of risk and responsibility, but smaller organisations will likely not have the same resources to meet these requirements. Smaller entities are however often nimbler and more responsive to change. There is an opportunity to upskill your current workforce, leverage temporary consultants or take on part-time staff to bring the right level of expertise into the organisation.
What to do now for CPS 234?
Although CPS 234 is now officially in effect it is not too late to take steps in the direction of compliance, in readiness for when the regulator comes calling. The regulator has been quite prescriptive, but the most important part is to show the regulator that your organisation is taking a risk-based approach to security, and governance is in place.
The regulator is helpful and responsible; their role is not to be obstructive. It is anticipated that they will therefore be understanding towards organisations who are in the process of improving their security posture and can show good progress. It is therefore important to be able to present a security strategy that leads to compliance with CPS 234.
As a start, go through the CPS 234 requirements and check off where you comply and how. In those areas where you do not comply, write a brief description documenting where and why. The responsible board members must be made aware of this. Then develop a mitigation strategy to address the CPS 234 gaps. This strategy will show intent when talking to the regulator in the future. Ensure the strategy is delivered so actual progress can be presented to the board and APRA.
Tips to respond to CPS 234
- Network: Networking is a key tool to gaining scale for small organisations. For example, some credit unions have joined together to talk about third party providers and issues and create a stronger voice to push for change if issues arise.
- Find an industry partner: Connect with a trusted partner organisation to discuss your activity around CPS 234. Use each other as a motivational tool to keep your progress on track.
- Develop a plan: If there is a gap when talking to the regulator, have a mitigation strategy in place and share it. The next time you have contact with the regulator, you must have made concrete and tangible progress against the plan.
- Assess your storage: Reconsider how and where you store your data. Multi-cloud storage can be a good option if you have the resources to manage this securely. If not, the safest option could be to go all-in with one vendor and reduce the number of platforms you are required to juggle.
- Raise awareness: Make data security the responsibility of every staff member. Data security should be top of mind, and you should cultivate a culture of protecting data. Consider introducing data classification processes and language that become common terminology in the organisation, such as ‘restricted’, ‘confidential’, ‘internal’ and ‘public’.
- Look to the future: Consider where you are going, rather than your current state. This may shape a very different strategy which would likely be more aligned with CPS 234.