APRA CPS234: The pathway to compliance

This article is not intended to supersede the specific recommendations or measures given within the APRA 234 standard, which is available here.

In effect from July 2019, the APRA CPS234 Prudential Standard is a mandatory regulation that aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.

A key objective of the standard is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.

Which organisations does the standard apply to?

All APRA-regulated entities including:

• Authorised deposit taking financial institutions (e.g. banking & superannuation)
• Insurance agencies (e.g. general insurers, life insurers, private health)

Outside of financial and insurance services, the APRA CPS234 standard can be applied in whole or in part to any organisation striving to meet a high degree of platform and data security.

Overview of general approach

APRA CPS234 is most akin to a Big Four bank approach in achieving best-practice cyber security standards.

The standard does not present a fixed set of requirements, so to speak. Instead, it outlines a pathway and recommendations to support third parties (including digital agencies) to achieve the gold standard in security and risk minimisation. This means minimising the risk of authorised persons or machines accessing sensitive information in the first place, and further minimising risk should unauthorised access of personally identifiable information occur.

To provide some perspective in terms of scale - compliance projects of this nature typically require hundreds of hours between multiple practitioners, from senior IT and marketing management, to security consultants and frontline developers. 

Depending on the standard you set out to achieve, this may also impact the investment made in service costs such as hosting or regular compliance audits, commonly increasing infrastructure and maintenance costs by more than 100 percent.

Where do I start?

First of all, it’s important to recognise that only you (the APRA regulated entity) can be accountable for compliance with the standard, particularly given that it contains a mix of vendor and board level requirements. As such, you will need to develop tailored questionnaires and implementation plans for each third party, relevant to the products and/or services that they provide, outlining their key responsibilities that will support your compliance.

We recommend that you get in early and employ the services of a professional cyber security firm, such as Hivint or Sense of Security. Using your digital agency to conduct a security audit would be like marking your own homework. External auditing by a specialist firm is critical and offers the strongest assurance should your approach ever be scrutinised by a governing body such as APRA, or a court of law.

In consultation with your third-party vendors, establish a high level project plan (we recommend allowing a minimum of 10 weeks) with different work streams for each third party – ending with the convergence of all parties' deliverables and your IT department rubber-stamping the universal solution.

As far as finances are concerned, we strongly recommend that you establish a generous and flexible budget - as a broad guide, we suggest that you should anticipate 300 to 500 professional outsourced hours including your digital and security agencies, and unless you already use the gold standard in secure hosting, you should anticipate doubling your current hosting costs, as most frontline security is tackled at this level.

Guiding principles of APRA CPS234

Broadly speaking, the guiding set of principles steering CPS234 aims to address the following:

• Ensuring that governance of policies, procedures and frameworks align as closely as possible to ISO/IEC 27001 (e.g. how a third party responds to known incidents)
• Considering all the practical steps that can be taken to avoid unauthorised access to the hosting or software applications
• If unauthorised access was to occur, ensuring that the information exposed under the breach is as limited as practically possible
• Considering how human error might interfere with the gold standard achieved at the outset. (For example, could a low-level CMS user simply export personally identifiable information?)

What will be examined?

Generally speaking, a technical compliance project for CPS234 will include the following:

Hardware – hosting, environment isolation, access control audit, configuration audit, certificate management and penetration testing

Software – server side applications, web application configuration (e.g. CMS), access control audit and vulnerability scanning

Data – storage models, audit of data types stored, field minimisation, masking or truncating of records, integrations and data transfer methods including imports/exports.

Typical stakeholders involved in compliance

• Senior client-side management – CIO, CTO, COO, CMO
• Senior digital agency management – CIO, DevOps, Account Lead
• Security agency – multiple practitioners
• Legal, both client and agency side – often a complex negotiation

Typical steps taken to achieve compliance

• You (the APRA governed entity) will need to carefully assess CPS234 and other standards that you feel may be relevant (such as ISO 27001) and decide which parts of these standards should reasonably be applied to each third party.
• Working with your cyber security firm, you should then prepare and issue a questionnaire for each third party supplier (e.g. your digital agency and hosting provider), questioning their current practices to establish a baseline.
• Commission your cyber security firm to conduct a review of vendor responses, and if applicable, to access relevant hosting environments and/or software applications in order to gain a deeper view and understanding of how the solutions work together.
• Cyber security firm conducts their prescribed vulnerability scans, penetration tests and security checks, then moves on to finalise a comprehensive report detailing all recommendations, presented and discussed with all relevant parties.
• Parties agree on which improvements will be carried out, with estimated costs/timeline.
• Remediation of agreed tasks is carried out, and the outcome retested by the cyber security firm.
• Future intensive audits are scheduled, typically bi-annually or annually to ensure that the platform has remained compliant throughout the course of continuous improvement.

Contractual negotiation and the cost of maintenance

Client side legal teams will logically seek to ask that the agency is accountable for complying with CPS234 (and sometimes CPS235 + ISO 27001) standards. This request is incredibly broad, and non-specific (frankly, no good agency would likely agree to it).

Instead,  we recommend that you identify the key responsibilities of the agency or third party specific to the standard(s), and negotiate that ‘best efforts’ are made to maintain and audit compliance specific to those responsibilities, with quarterly compliance audits scheduled to verify integrity on an ongoing basis.

Alternatively, should you negotiate that the agency must maintain and certify APS234 compliance with every single deployment, you may be adding as much as 25 percent to your BAU investment due to the significant increase in quality assurance testing.

It should be noted that the cost of establishing and maintaining these responsibilities is very real – so in considering any programmed maintenance or audit tasks, you should seek a fair and reasonable estimate to maintain the desired program of work.