In 2021, the Australia Prudential Regulation Authority (APRA) started writing to financial service institutions to instruct them to engage an independent auditor/expert to undertake a one-off, tripartite review of their cyber-security against Prudential Standard CPS 234 Information Security (CPS 234). In this publication, we explore CPS 234 requirements and offer some advice on how to prepare for the tripartite review.
What is CPS 234?
CPS 234 is a mandatory information security legal requirement that took effect on July 1, 2019. It requires APRA-regulated financial institutions to strengthen their information security framework in order to protect themselves and their customers from the growing threat of cyber attacks. In addition, when a data breach or other security incident is discovered, businesses must respond in a timely manner and notify APRA.
Why is cybersecurity so important to APRA?
- Financial institutions are some of the most attractive targets for threat actors due to the potential size of financial rewards and value of the personally identifiable information (PII) and protected health information (PHI) on the dark web.
- During the 2020-21 financial year, the Australian Cyber Security Centre (ACSC) received 13 per cent more cybercrime reports than in the previous year.
- Financial institutions are increasingly using third parties to support their critical business activities. According to a survey from the Ponemon Institute, 66% of companies surveyed had no idea how many third-party relationships they had or how they were managed, even though 61% of the surveyed companies reported having a breach attributable to a third party. Most of the breaches occurred because third parties had been given too much privileged access to data and systems.
- APRA’s initial pilot of CPS 234 tripartite assessment that involved a small sample of banking, insurance and superannuation entities highlighted some concerns and the need for boards to play a more active role in:
- Reviewing and challenging information reported by management on cyber resilience
- Ensuring their entities can recover from high-impact cyber-attacks (e.g. ransomware)
- Ensuring information security controls are effective across the supply chain
Clearly, APRA has grounds for concern and the mandating of broader tripartite reviews indicate that it has no appetite to deal with a major data breach or any other cyber security type incident.
What is the CPS 234 Tripartite Review?
APRA’s power to require financial institutions to undertake a tripartite review comes from Prudential Standard GPS 310 , Audit and Related Matters.
A tripartite review is an assessment that involves three parties. In this case, the three parties include APRA, the entity being reviewed, and an assurance practitioner (an independent reviewer). The assurance practitioner can be selected by the entity but must be approved by APRA prior to commencing the review. The firm selected to perform the tripartite review should have appropriate skills, capabilities, and experience in conducting ASAE 3150 Assurance engagements and appropriate independence to conduct the CPS 234 assessment.
The tripartite independent cyber security assessments are one part of APRA’s broader Cyber Security Strategy for 2020 to 2024 which aim to help improve the Australian financial system’s resilience against the ever-growing cyber threat.
For APRA-regulated entities with robust cyber security governance, documentation and practices, the CPS 234 tripartite review should be a relatively straight forward process. The entity will need to provide hundreds of important documents for the auditor to review to validate practices against the requirements of CPS 234 and report back to both APRA and the entity. The tripartite review will cover several elements:
- Roles & Responsibilities
- Information Security Capability
- Policy Framework
- Information Asset Identification & Classification
- Implementation of Controls
- Testing Control Effectiveness
- Incident Management
- Internal Audit
- APRA Notification
The Likely Challenges
The size and complexity of the financial institution is little indication of how much work is involved in co-ordinating or performing the tripartite review. All tripartite reviews must be performed to ASAE 3150 requirements, assessed against a comprehensive APRA provided assessment criteria/ CPS 234 checklist and the assurance report format must be in a “long-form” report that includes:
- An executive summary
- Details of the tests performed of each control objective
- Key strengths and good practices
- Exceptions & weaknesses identified and a risk rating in line with the entities risk criteria
- Management response, agreed actions and timeframes
From our experience, larger institutions will have a significant amount of documentation to provide but smaller institutions (Australian local branches) will require the same level of validation from the overseas parent.
Having conducted CPS 234 reviews, remediated cyber security gaps and aided APRA-regulated entities to prepare for tripartite reviews, we have noticed some trends in the challenges faced by organisations in various industries. If you have received or expect to receive an engagement letter from APRA, consider these 7 challenges to gear up for a positive outcome:
1. Documented Processes
While many organisations have an Information or Cyber Security Framework in place, the documentation of processes is a common gap. A policy is supported by a standard and a standard is supported by a procedure… or at least it should be.
Typically, the response procedures are not well documented. Common shortfalls are – How to restore a backup, how to rebuild a server, how to transfer to a failover data centre, how to report fraud, how to escalate and properly report to APRA… the list is extensive.
The auditor will be looking for ‘hard’ evidence. Soft controls are good, but documented controls such as plans, test results and status reports are better.
2. Information Asset Identification and Classification
Information asset identification and classification was a first for many APRA-regulated entities once CPS 234 was introduced.
Traditionally, asset registers were kept by the IT department to manage physical assets in an environment where everything was hosted onsite locally. Under CPS 234, information assets are not just physical and require more than just identification and classification. To even classify an information asset, we need to understand what the definition of materiality is. Even then, there are multiple definitions of materiality in a single organisation depending on the context.
Clearly define materiality from an Information Technology perspective and build an Information Asset framework around that. As a starting point, ensure all assets are covered and include a description of the asset, the asset owner, the asset host, criticality of the data, sensitivity of the data, lifecycle of the asset and a risk rating aligned with the Risk Management Framework.
3. Processes based on Information Asset
We commonly see IT infrastructure that is built upon the knowledge and experience of senior IT architects. No complaint here, many are well designed and function beautifully, but there is no evident risk assessment in configurations. Criticality and sensitivity of assets should be used as a guide to configure traffic policies, interface setups, user access management and group policies.
The reasoning behind this is that the risk assessment of an information asset can be linked back to the risk consequences table of the organisation, making the risk quantifiable or measurable. This helps to not only respond to incidents but also better manage risk-taking. Organisations need to take some level of risk to grow. As a basic example, if all data was treated as overly sensitive, there would be hesitance to outsource hosting to a vendor to expand operations to a secondary office.
4. Third Party Information Security Capability
A term used commonly by APRA is “Information Security capability”. This term not only refers to the entity being reviewed, it also includes all vendors or third parties that are material or critical to the operation of the organisation. While third party assessment has been a hot topic in Australia in the last 12 months, the level of detail we are seeing in assessments is not sufficient. Performing the typical annual assessment and adding on “have you got a Business Continuity Plan (BCP) or Cyber Incident Response Plan” is simply not enough. This does not paint the picture of the capability of the vendor and does not provide adequate assurance of continuity.
Additionally, there needs to be detailed and documented contingency plans for each vendor should their recovery processes fail. Vendors or third parties should be assessed to the same standard as your own organisation for you are only as strong as your weakest link. Outsourcing assets does not outsource responsibility or risk.
5. Evolving Position Descriptions
With the hybrid workforce being the new normal, flexibility is not only evident in working environments. The position description of a role is leaning more towards dynamic responsibilities and many Chief Information Officers (CIOs) we have spoken to agree. The issue with dynamic roles is occasionally they are not reflected in a formal document or the official position description of the individual.
As an example, we have seen cryptography custodians assigned responsibility without it being officially documented. One of the greatest risks to comprehensive cryptographic frameworks is the malintent or abuse of a privileged custodian. Critical responsibilities should be documented to allow the governance of appropriate vetting and ensuring individuals are appropriately assigned the responsibility. If documenting these responsibilities to a specific role is too difficult or time consuming, consider documenting them at a team level.
6. Frequency and Scope of Testing
Annual testing of all critical systems can be an arduous task and the unfortunate lack of certified Information Technology (IT) resource currently hitting the industry does not help. Whether it is a budget or resource issue, we are seeing infrequent testing and/or the exclusion of all critical systems in annual testing. Tests should not only include exercises and tabletop drills, they should also include the recovery testing of backups and failover solutions.
There is also nothing wrong with planning a full scope test of critical systems as part of a multi-year program due to resource limitations, as long as it is clearly documented. Multi-year roadmaps show a commitment to better practice and can be altered as higher risk or higher priority assets are acquired or created.
7. Evidence Methodology
IT teams understand the need for testing and evidence is well documented in the form of screenshots, results and reports for escalation to the leadership team. What is lacking in the evidence we see is the methodology that the testing is based on. Why was this system selected, what is the likelihood and consequence of an outage of such system, why was it tested in this manner and what were staff hoping to achieve? Be sure to include a test rationale, processes executed, review of results, or evidence of review of the testing program due to such results.
Continual improvement also seems to be a low priority. Testing and gathering forensic evidence should not be a tick-box activity, it should aim to improve systems, procedures and the testing program itself. Should you ever be faced with a real-world incident, you will be thankful for it.
Cost vs Benefit of CPS 234 Review
The CPS 234 Information Security Tripartite Review has a number of limitations.
Firstly, whilst the review is mandated by APRA, the cost is borne by the entity. With a shortage of cyber risk experts, coupled with the ‘great resignation’ phenomenon and the level of detail required by APRA, it is not going to be cheap. To help reduce costs, we are suggesting:
- clients first perform a self assessment
- allow some time to remediate ‘quick win’ shortfalls
- performing a series of workshops to gather information from multiple sources
- considering the comprehensive list of documents required during a review
Also, many elements of the review are only good at a point in time. Within 6 months after the tripartite review, the cyber risk environment will change.
The CPS 234 Information Security Tripartite Review is a great initiative that we strongly believe will improve the maturity of financial services in Australia. APRA has based the review on three focal areas, hoping to achieve:
- The establishment of a baseline of cyber controls
- Enabling boards and executives of financial institutions to oversee and direct correction of cyber exposures
- Rectify weak links within the broader financial eco-system and supply chain
By aiming to improve an entire industry by acknowledging it is a shared effort, APRA is hoping to minimise the cascading effects of a cyber incident on an entire system or industry. By including all APRA-regulated entities in the scope, there is no way around it and the end-result should positively impact the financial sector in Australia.
Can We Help?
The InConsult team has a deep understanding of insurance and the APRA prudential standards including CPS 234 and the requirements of the tripartite review. Since the implementation of the revised APRA Prudential Framework in 2001, we have helped APRA-regulated clients navigate through the myriad of regulatory compliance requirements. Our cyber security experience includes:
- Independent CPS 234 reviews
- Preparing for CPS 234 tripartite reviews
- Remediating gaps in all elements of cyber security, including third parties
- Comprehensive independent reviews of the ICAAP, risk management and reinsurance framework
If you have been approached by APRA to take part in a tripartite review or are anticipating a review, contact us to discuss your needs.