Final APRA Guidance on Information Security (CPG 234) released – are you prepared?

In brief 10 min read

APRA has released the updated final version of its Prudential Practice Guide (CPG 234), which gives crucial context about how it views cybersecurity threats, and clarifies some of the steps that should be taken now relating to board oversight, information security controls and notification of information security incidents. 

What does this mean for you?

• APRA has now released the updated final version of its Prudential Practice Guide CPG 234 Information Security (CPG) ahead of the commencement of its Prudential Standard CPS 234 Information Security (CPS 234) on 1 July 2019. While not strictly binding, the CPG provides crucial context about how APRA views cybersecurity threats and how it is likely to enforce the stringent obligations under CPS 234, particularly given its new 'constructively tough' approach to enforcement. The guidance also clarifies some of the steps that ADIs, insurers, superannuation licensees and other APRA-regulated entities should be taking now in relation to board oversight, information security controls and notification of information security incidents.
• All APRA-regulated entities, including ADIs, general insurers, life insurers, private health insurers, RSE licensees, and authorised or registered non-operating holding companies, will need to comply with the stringent information security requirements set out in CPS 234 from 1 July 2019. Importantly, where an APRA-regulated entity is the head of a group, it must comply with the requirements of CPS 234 by ensuring the requirements are applied appropriately throughout the group, including in relation to entities which are not regulated by APRA.
• If your organisation regularly manages data, software, systems or hardware for APRA-regulated entities, it may not be directly caught by CPS 234. However, you should still be aware of these requirements because your organisation is likely to be contractually bound to comply with certain CPS 234 obligations (in particular, those relating to the management or auditing of information security risks and those of sub-contractors) under its agreements with APRA-regulated entities.
• For many entities, identifying and implementing compliance uplifts will take some time. APRA has said that regulated entities should advise their APRA supervisor if they will not be able to fully comply with CPS 234 from 1 July 2019.
• CPS 234 can't be dealt with in isolation. Entities will need to take a holistic approach to information security and data governance, and also take into account their broader privacy, information security compliance and governance obligations.

Who else in your organisation needs to know about this?

• Board members – While CPS 234 does not restrict the delegation of information security roles and responsibilities, it does make the board of a regulated entity ultimately responsible for information security, implying that the board should be aware, and involved in the remedying, of information security threats and vulnerabilities. The CPG also makes it clear that the board should not only be regularly seeking assurance from management on various information security matters, but it should also be challenging management. Simply relying on the reporting provided by others without doing more to confirm or challenge those reports is unlikely to discharge the board's obligations under CPS 234.
• Legal and procurement – The broad scope of 'information assets' regulated by CPS 234 means that, in practice, there will be very few transactions or outsourcing arrangements that will not be caught under CPS 234. Legal and procurement teams will need to consider what security, oversight and audit provisions are needed in relation to both existing and future third and related party arrangements, and what security due diligence processes can be carried out before contracting.
• Risk and compliance functions will need to ensure the regulated entity's plans, policies and reporting processes, including incident response plans, align with the requirements of CPS 234.
• Audit functions (of regulated entities and third party providers) need to develop systematic testing programs, and ensure their normal audit process covers the considerations in CPS 234, and regulated entities will need to ensure they have oversight of the security audit and testing processes of third parties.

What's new?

Further detail on the content and scope of CPS 234 is set out in our article New APRA prudential standard raises bar for information security obligations and incident notification requirements. Below is an overview of the key additional guidance provided by the CPG.

Third party and related party management

Although CPS 234 comes into force for regulated entities on 1 July 2019, the obligations imposed regarding information assets that are managed by third and related parties will only commence from the earlier of: 1 July 2020; or the date on which the relevant third or related party arrangement is renewed or materially updated. That may seem like a long runway. But, for regulated entities that rely heavily on external providers, the process of reviewing and updating such arrangements is likely to take some time, particularly as updates may require consideration and documentation of what security controls will be 'commensurate'. This transition period will not otherwise exempt regulated entities from ensuring they have the necessary framework in place.

• Regulated entities should:
  • regularly assess the capabilities and vulnerabilities of third and related parties, including through interviews, service reporting, control testing, certifications, attestations, referrals and/or independent assurance assessments; and
  • not simply rely on the fact that a third or related party is subject to other regulatory obligations (whether under CPS 234, ASX listing rules or otherwise) as a means of assessing that third party's information security capability.
• Regulated entities should acknowledge that information security roles and responsibilities will be located across separate business areas (including IT, privacy, compliance and product teams) and will be shared with third parties or related parties.
• Regulated entities should:
  • ensure there is clear ownership and accountability for information security tasks and functions as between different business areas and entities, and define escalation paths and thresholds clearly; and
  • implement compensating measures (eg developing a 'virtual' security group made up of these individuals to increase oversight and collaboration across the entity and third party).

Classification of criticality and sensitivity of information assets

As outlined in CPS 234 (and in contrast to other APRA standards like CPS 231), the majority of the obligations under the CPG do not involve any materiality threshold, and will apply to all information assets. APRA has confirmed this approach, explaining that regulated entities should have a comprehensive understanding of all their information assets because even assets that could be considered immaterial might provide the means by which attackers can compromise information assets with higher levels of criticality and sensitivity.

• APRA has clarified that:
  • the broad scope of information assets (which CPS 234 defines as being information or information technology, including software, hardware and data (both soft- and hard-copy)) will also include infrastructure and ancillary systems like environmental control systems;
  • criticality and sensitivity ratings for information assets should take into account the potential impact of the asset being compromised; and
  • where a regulated entity aggregates individual components of a system into a single asset (as opposed to classifying each individual component), the aggregate asset should inherit the highest criticality and sensitivity ratings of its constituent components.
• Regulated entities should implement a process to review the classifications of information assets on an annual basis; or more frequently, if there has been a material change to the relevant information assets or the surrounding business environment.

Notification

One of the CPS 234 obligations that received the most submissions was the inclusion of two obligations to notify APRA:

• Material information security incidents or incidents notified to other regulators – no later than 72 hours after becoming aware of an information security incident (which will include both actual and potential compromises of information security) that:
  • has materially affected, or had the potential to materially affect, financially or otherwise, the entity or the interests of stakeholders (including customers); or
  • has been notified to other regulators (whether or not in Australia). This would require that an incident be notified to APRA within 72 hours of notification to the other regulator, provided the incident does not also satisfy the criteria under the first limb.
• Material information security control weaknesses – no later than 10 business days after becoming aware of a material information security control weakness (eg a weakness that could be exploited to compromise information security) that the entity expects it will not be able to remedy in a timely manner.

The CPG expressly outlines that regulated entities should notify APRA as soon as possible of these incidents or control weaknesses, even in the absence of complete information as to the incident or the intended response. APRA has now also released the electronic forms that should be used to report incidents and control weaknesses.

What insight does the CPG give to APRA's focus areas and approach?

Urgency of cybersecurity threats

The information landscape has changed considerably since 2013. APRA has justified the fast-tracked release of the CPG and CPS 234 on the basis that insufficient cybersecurity and information security measures are an urgent threat, with an APRA Executive Board Member stating:

cyber-adversaries are targeting Australia's banks, insurers and superannuation licensees with growing frequency and sophistication ... it is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we've seen overseas, so they must be prepared.

Related party arrangements

The CPG doubles down on the position in CPS 234 that third party and related party information security risks (and those of their subcontractors and service providers) need to be closely managed, including by assessing security capabilities and controls, assurance and audit processes, and agreeing each party's role regarding incident response. This reflects the trend of increasing regulatory focus on related party arrangements (where data and security controls are often not properly documented and are less stringent than other third party arrangements).

Emerging technology

The CPG treats emerging technologies as a threat rather than an opportunity for entities, suggesting that a regulated entity should only authorise the use of new technologies where:

• the technology has matured to a state where there is a generally agreed set of industry accepted controls to manage the security or technology; or
• compensating controls in place within the regulated entity are sufficient to reduce residual risk within the regulated entity's risk appetite.

This guidance seems out of step with market drivers, given the rate at which emerging technology is being adopted both by regulated entities and the broader market. It also ignores the fact that it may be uncommercial for a regulated entity to lose its first-mover advantage while waiting until a technology has been widely adopted. However, these statements provide a good indication of APRA's thought process, and suggest it may seek to enforce any breach of CPS 234 arising as a result of early adoption of emerging technologies without stringent security controls.

Actions you can take now

• Undertake a cybersecurity risk and threat assessment – This will help regulated entities (and third party providers) determine whether proposed and existing controls are 'commensurate' or 'proportionate' to relevant threats.
• Classify information assets – This process should also include consideration of which third and related parties will manage or have access to such assets.
• Classify third and related party arrangements – These arrangements should be classified having regard to the nature of the arrangement and information assets, potential threats, and the sophistication of the counterparty's existing security controls and processes. They may include a pre-contract security due diligence process.
• Review and uplift existing third and related party arrangements – Regulated entities should revisit existing third and related party arrangements before 1 July 2020, to confirm whether they contain appropriate security, audit, notification and cooperation obligations, and should ensure they maintain ongoing awareness of changes to the way in which the relevant services are provided. They should also implement a process for the procurement of new services.
• Update incident and data breach response policies and plans – The updated plans should cover the notification obligations under CPS 234 and expressly contemplate the role of external third parties.
• Roll out awareness and training programs – Regulated entities (and their third party providers) should consider rolling out awareness or training programs in connection with information security and the specific obligations under CPS 234.
• Monitor updates to other prudential requirements – APRA has indicated that it will roll out updates to the prudential requirements for operational risk, business continuity management (CPS 232) and outsourcing (CPS 231) on a staged basis during the course of 2019-2020.