How APRA regulated entities should be maturing their Information Security in 2021

Australian Prudential Regulation Authority (APRA) regulated entities can expect increased oversight in their Information Security obligations this year, with APRA recently releasing supervision and policy priorities for 2021 and beyond.

The supervision and policy priorities plan aims to address increasing risks and vulnerabilities within Australia’s financial system and includes intervention and responsibilities at the Board level; as well as a tripartite pilot to assess selected regulated entities CPS 234 compliance.

With increasing cyber-attacks and intensified cyber risks due to remote working, APRA’s supervision and policy priorities reiterate that information security and technology resilience will remain at the forefront of how they measure the performance of regulated entities. In this article we discuss CPS 234 and what APRA regulated entities should be doing now as part of the standards ongoing maturity.

How did we get here? A recap

The CPS 234 standard has been in effect since 1 July 2019 and should now be a key operational focus area for all APRA regulated entities. This includes, authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers, incenses or registrable superannuation entities and authorised non-operating holding companies.

At its core, CPS 234 is aimed at helping regulated entities combat the threat of a cyber-attack and improve overall resilience. In June 2019, APRA also released a corresponding practice guide (CPG 234) to help regulated entities identify and implement appropriate controls.

Overall, there are 36 paragraphs that set out the detailed requirements regulated entities must demonstrate compliance with. Below are some of the key requirements as outlined in CPS 234:

• All information assets must be identified and classified based on criticality and sensitivity. This includes assets managed by third or related parties.
• Controls must be in place to protect information assets that are consistent with the vulnerabilities, threats, criticality and sensitivity of the information assets.
• Regulated entities must risk assess and systematically test internal controls and those controls maintained by third and related parties.
• CPS 234 places ultimate responsibility for information security with the Board.

About the tripartite pilot assessment

A pilot tripartite assessment of CPS 234 has commenced involving six selected regulated entities. The pilot will involve a comprehensive independent assessment of CPS 234 controls by an independent third party under an Australian Audit and Assurance Standard Board (ASAE) reporting.

APRA, supported by the Council of Financial Regulators (CFR), will also require regulated entities to undertake regular cyber-attack test simulations that are conducted by specialist third parties.

What does this mean in practical terms?

Practically, under the CPS 234 standard, APRA regulated entities must ensure they are moving forward with their Information Security resilience. In some cases, this may mean complete transformation of business models that will require broader cyber security, strategic and people advice. As such it is important to get independent assessments of compliance. To achieve this there are three key components:

1. Regulatory assurance

To ensure regulatory compliance, entities must ensure that assessments of CPS 234 controls are undertaken by functionally independent assessors. This may be in the form of assurance opinions or consulting style engagements to help management implement or improve existing controls.

Additionally, APRA’s prudential standard on audit requirements (APS, GPS, LPS, SPS, HPS 310) requires that APRA is provided with a report from the Appointed Auditor providing limited assurance on the effectiveness of all Prudential Standards.

2. Third Party Assurance

The obligations on the regulated entity include a requirement to assess third and related parties who manage assets. Where this is the case, the entity must ensure that the information security capability and security controls are reviewed and tested. BDO can help by:

• Reviewing existing third-party Assurance or SOC reports to determine the impact of known issues
• Performing controls assessments of third/related parties to identify control gaps or opportunities for improvement
• Performing SOC 2 / ASAE 3150 reports that Regulated Entities can share where they act as a service provider. 

3. Internal Audit

CPS 234 requires that an internal audit must review the effectiveness and the design of all information security controls. These reviews must also include any controls maintained by third parties or related parties. BDO can support a fully outsourced or co-sourced internal audit model.

Key considerations for Boards

With heightened culpability at the Board level, it’s important that boards are ensuring they are taking the right steps to improve their cyber-resilience as outlined above. This is alongside APRAs expectations that governance and culture are prominent in Board discussions and actions, especially around risk culture.

CPS 234 Checklist - the top ten things you should be considering in 2021

Outlined below are some key considerations regulated entities should have in place or should be actively considering as part of their ongoing maturity. This is a useful checklist for discussion at the Board level:

Implement an information security policy framework with clearly defined information security related roles and responsibilities (Board, senior management, governance forums). Identify whether the existing information security capabilities are correct for the organisation.

Identify and classify information assets by criticality and sensitivity. Assess the controls that are in place to protect information assets. Are these controls commensurate with the size and risk profile of the regulated entity? Including those managed by third/related parties?

Implement a risk-based approach to identify, implement, test and monitor key information security controls (including controls over third/related parties). Assess the resource and effort implications associated with performing design and effectiveness testing over third party / related party controls.

Ensure that security specific incident management processes are implemented, including escalation / reporting requirements. Determine the extent and nature of testing required to annually confirm the effectiveness of your security response plans. Including testing across the 3 lines of defence.

Consider information security threats and risks on a regular basis and adjust internal audit programs, as required, to incorporate changes to the information security landscape. Assess and determine what is deemed acceptable in relation to “appropriately skilled’ personnel when preforming internal audit and other assurance activities.

Assess whether current systems and processes are adequate to enable identification and notification to APRA within 72 hours of an actual / potential breach. Test that these processes / systems can meet this threshold.

Download cYBER CHECKLIST.

How can we help?

At BDO, Our experience in this area means we can provide insights and opportunities for APRA regulated entities to ensure a robust Information Security framework. Our agile model means we can work with you as co-source or a fully outsourced model. We can assist with all aspects of cyber resilience including:

• Regulatory assurance
• Third party assurance
• Internal Audit
• Advisory services including:
  • Strategic planning
  • Control maturity assessment
  • Control uplift and implementation
  • Incident response services
  • Operational security (SOC, red teaming)
  • Architecture assessments
  • Education and training

For more information on CPS 234, or any of the aspects mentioned in this article, contact your local cyber partner.