In November 2018, the Australian Prudential Regulation Authority (APRA) released the Prudential Standard CPS 234 in direct response to the escalating attack landscape in the financial sector. APRA has understood these threats to be the direct result of banking services moving to more complex and heavily used digital platforms. The new Standard emerged as an offshoot to the Notifiable Data Breach Scheme, which came into effect in early 2018. With the advent of online services and new entities such as neobanks, these controls have now become critical. CPS 234 ensures that APRA-regulated entities have implemented sufficient protections to guarantee information security across the computing platform.
CPS 234 applies to any entity that is regulated by APRA. These include:
- Banking organizations, neobanks, credit unions, or any other Authorized Deposit Institutions (ADI).
- Insurance companies.
- Superannuation Funds.
- Private health insurance companies.
- Non-operating holding companies.
- Life companies and friendly societies.
CPS 234 is not limited to domestic entities. It is applicable to foreign entities as well, namely:
- Foreign ADIs
- Foreign General and Eligible Foreign Life Insurance Companies (EFLICs)
CPS 234 commenced in July, 2019. This means that if an organization’s information assets are managed by a third party, they must make sure any new contracts are CPS 234 compliant. For any existing contracts, organizations were given a one-year grace period to move those contracts into compliance.
Who Is Responsible for CPS 234 Compliance?
The responsibility to ensure compliance with CPS 234 ultimately falls on the Board of Directors of these APRA-regulated entities. This means that the Board must ensure that the entity maintains information security in a manner consistent with the size and extent of the threats to its information assets.
What Are the Key Requirements?
Some of the broader requirements of CPS 234 are:
- Identify, implement, and maintain information security controls that are proportional with the threat posed against organizations.
- Clearly define information security-related roles and responsibilities.
- Implement controls to protect information assets, and undertake regular testing along with assurance of the controls implemented.
- Timely notification to APRA of material information security incidents.
One point worth noting is that Clause 13 of the requirement states that the Board of an APRA-regulated entity is ultimately responsible to enforce CPS 234 compliance. This means that APRA have recognized information security to be a business concern, not solely a technology problem. This is critical in defining how these organizations approach the implementation of such controls, as non-compliance is not an option and carries heavy fines and sanctions.
CPS 234 does not prescribe the level of granularity or the classification method to these controls; this is left entirely to the regulated entity to implement and categorize.
These broader requirements can be broken into 9 compliance areas:
- Roles and Responsibilities: All regulated entities MUST clearly define roles and responsibilities across all aspects of their information security strategy, starting at the Board and Senior Governance committees.
- Information Security Capabilities: Within an organization, Information Security capabilities that are directly commensurate with the threat posed to the entity must be implemented and maintained.
- Policy Framework: The entity must define an Information Security policy framework. This framework will serve to articulate the necessary controls and provide guidance and validation regarding information security.
- Information Asset Identification and Classification: All information assets, hardware or software, must be identified and classified to define their criticality and sensitivity.
- Implementation of Controls: The regulated entity must have information security controls to protect its information assets. These include all assets managed by related third parties, as well. These controls include:
- Addressing vulnerabilities and threats to information assets,
- Labeling the criticality and sensitivity of information assets,
- The life-cycle stage of an information asset, and
- The potential repercussion or consequence of a security breach or incident.
- Incident Management: A clearly defined incident management plan must be established, reviewed, and tested annually.
- Testing Control Effectiveness: Control effectiveness must be regularly tested through a degree of standard assurance processes to provide a degree of assurance that vulnerabilities and threats are duly managed and identified across an information asset’s lifecycle.
- Internal Audit
- APRA Notification: APRA must be notified within 72 hours of any incident impacting their information assets. The regulated entity must also notify APRA within 10 business days of any control weakness the organization cannot remediate in a timely manner.
How Can Companies Be Best Prepared for Audits of CPS 234? What Are Some Best Practices for Companies to Consider?
Roles and Responsibilities
Complying with CPS 234 can be daunting, but it need not be. Achieving compliance, as with any other information security framework, will require the appropriate technical controls. The biggest challenge to compliance can be a lack of guidelines as well as practical application when dealing with third parties.
There’s a lot to do to comply with in CPS 234. The easiest requirement to fulfill is to ensure roles and responsibilities of all security staff are clearly defined, articulated, and communicated organization-wide. This simple requirement is not dependent on any technology or strategy, and it is something most organizations tend to achieve by default. Bear in mind that roles and responsibilities need to be articulated for third-party vendors as well and stipulated in their contracts.
Point 9 of the regulation mandates that organizations must have a streamlined process of notifying APRA of an incident impacting their information assets. The scope of the incident as well as the extent can be determined in parallel. Often, an assessment or internal investigation will take place to determine the type of data that’s been compromised and whether it contains any customer information. For such requirements, there’s a chance this requirement might overlap with other frameworks such as GDPR or Australia’s notifiable Data Breach Scheme. The challenge here would be to assess each incident on its impact and subsequently establish a time threshold required to report these breaches. Entities also need to establish a chain of command and an internal reporting process for such breaches.
Third-Party Vendor Compliance
Another challenge is to manage and gain visibility on information security features and processes of third-party vendors and how they would correspond to the potential consequences of a security incident. First and foremost, a contract must be established between the entity and the third-party vendor to ensure these requirements are maintained. If the third-party vendor does not have the appropriate security measures, entities need to consider an effective yet secure way of doing business either by enforcing controls through their own processes or technologies (limiting access to a network, as an example) or providing guidance to the third party to bring it to an acceptable level of security posture before business can be conducted.
Any shortcomings in third-party security controls must be reflected in the master contract.
Policy Framework, Internal Audits, and Implementation of Controls
Perhaps the most challenging and arduous requirement of CPS 234 is to achieve compliance against a policy framework and implementation of controls on information assets. Depending on the scale of an organization’s asset map, achieving compliance can become a repetitive, error-prone, and resource-intensive process. Moreover, constant changes to information assets can render them non-compliant quickly. This leads to compliance drift where the entity's information assets deviate from the desired state of compliance due to a lack of central monitoring of configuration and policies.
All these challenges would apply to any financial entity regardless of which compliance framework they adopt as well as which systems need to be monitored for configuration assessments and vulnerability assessments.
How Tripwire Can Help
Tripwire is synonymous with change monitoring, compliance, configuration assessment, and vulnerability assessment. Besides these capabilities, Tripwire can help entities achieve other aspects of CPS 234, namely being able to discover and identity information assets, supporting internal audit, as well support SOC teams for the purpose of incident management.
As an example, Tripwire Enterprise can help organizations achieve a level of compliance to their adopted policy framework by running scans across their IT assets and documenting where the entity passes or fails to comply with these granular checks. This can be achieved centrally on all IT assets, regardless of being physical, virtual, or cloud-based. Tripwire Enterprise can also help to ensure that entities comply with popular configuration baselines such as CIS or NIST and that they drastically reduce their attack surface by securely configuring their IT assets. The ability to understand change across all IT assets, enriched by context, allows entities to understand changes across their IT environment to distinguish between good, bad, authorized, and un-authorized changes.
Another requirement that Tripwire can fulfill is to ensure entities can run a robust vulnerability assessment program, providing insights into undetected threats and vulnerabilities before they become an issue. Entities can also tag all discovered assets based on configurable labels around business context, role, sensitivity, and criticality of assets.
The matrix below represents where Tripwire can help financial entities achieve compliance to CPS234:
The intention and structure of CPS 234 have been established to promote and encourage good security practices within financial institutions and put due responsibility and accountability on the Board. However, experience has shown us that complying with such guidelines can be cumbersome and daunting if not supported with the right solution and process model.
CPS 234 isn’t about enforcement; the intention here is to create a compliant and resilient security posture and at the same time reduce the attack risk surface industry wide. In today’s world of an ever-expanding and fast-evolving landscape of the financial sector where crypto and micro banks have become the new normal, this is a good place to start.