Obligations under CPS 234 and its trickle-down effect
The fast-tracked development and commencement of APRA Prudential Standard CPS 234 on 1 July 2019 has been widely viewed as a step in the right direction given the extent of the threat posed by cyber risk.
CPS 234 builds upon previous prudential standards and outlines minimum requirements for APRA-regulated entities for the management of information security, with the aim of ensuring regulated entities have sufficient security measures in place having regard to the criticality and sensitivity of information they hold. In short, it imposes greater cyber security obligations on regulated entities. A knock-on effect of this, which is arguably a more significant development, is that regulated entities are now seeking to impose obligations on third parties across their supply chain.
Headline Obligations on Regulated Entities
The headline obligations imposed APRA-regulated entities by CPS 234 include:
- Maintenance of information security in a manner proportionate to the size and extent of threats to information assets, to enable continued sound operation of the entity;
- Classification of information assets by criticality and sensitivity;
- For an entity that has information assets managed by a third party, the assessment of the information security capability of the third party to ensure it is commensurate with the potential consequences of an information security incident affecting those information assets;
- If a third party that manages information assets for a regulated entity engages another service provider, the regulated entity must take reasonable steps to satisfy itself that the third party has sufficient information and security capability to manage additional threats and vulnerabilities arising from the arrangement;
- Clearly outlining the roles and responsibilities of the Board, government bodies, senior management and employees within a regulated entity;
- Implementation of an internal policy framework that is commensurate with the threats and vulnerabilities the entity is exposed to;
- Implementation of information security controls, which are subject to regular and appropriate testing;
- Notification to APRA of certain information security incidents within 72 hours; and
- Reporting to APRA as soon as possible and within 10 days certain identified weaknesses discovered by an entity in its information security controls.
These obligations are significantly more onerous than those imposed by the Privacy Act and the Australian Privacy Principles (APPs). In many respects, the new obligations are more closely aligned to the General Data Protection Regulation (GDPR) in force in Europe.
For example, the detailed documentation requirements imposed by CPS 234, which includes requirements around defining the information security-related roles and responsibilities of the Board, information security policy frameworks, information asset classification, information security response plans and controls testing and auditing is closer to that required by the GDPR and far more defined than obligations imposed by the Privacy Act and the APPs.
In addition, the requirement to notify APRA of information security incidents that materially affected or could have materially affected the entity or its stakeholders within 72 hours and to notify APRA of any material weakness an entity discovers in its information security controls which cannot be remediated in a timely manner no later than 10 days after it has been discovered is broader and more time sensitive than the equivalent obligation in the Privacy Act, which only requires notification of “Eligible Data Breaches” as soon as practicable after an entity has performed an assessment of an incident. The Privacy Act requires all steps be taken to have the assessment completed within 28 days.
CPS 234’s significantly tighter notification time limit and requirement to notify a broader range of incidents is likely to cause APRA regulated entities to respond to any incident with an enhanced level of urgency as compared to an entity not obligated to comply with CPS 234. It remains to be seen how APRA will respond to notifications and the enforcement steps it will take.
Otherwise, limited guidance has been provided to regulated entities on the extent of measures they will need to put in place to satisfy the regulator they have complied with a number of these newly-imposed obligations, particularly obligations that require measures be put in place that are reasonable or that are commensurate with potential consequences of an incident.
The trickle-down effect
Regulated entities have been preparing for the arrival of CPS 234 for some time and taken a number of steps required for compliance with the recently introduced standard.
However, efforts to implement policies and procedures that accord with CPS 234 are ongoing, particularly in respect of the obligations imposed around the oversight of third parties who “manage” a regulated entity’s “information assets” that are embedded throughout CPS 234.
Although the third party manages the information, the entity is still responsible and subject to reporting requirements. Therefore, regulated entities need to ensure their third party providers are effectively complying with obligations imposed by CPS 234 to ensure the entity is not in breach of the new regulations.
Under the standard, regulated entities are required to have measures in place with third parties so that they meet the requirements of CPS 234 by the earlier of the next renewal date of the contract with the third party or 1 July 2020.
Limited guidance has been provided on how an entity is to determine whether a “third party” is “managing” their “information assets”. A footnote in CPS 234 supports a broader interpretation of the concept, which we suspect has played a part in regulated entities adopting a conservative approach and requesting any third party involved in their supply chain to set out how they intend on complying with the obligations imposed by CPS 234.
This goes beyond IT and managed service providers, and effectively accounts for any business that provides services to a regulated entity that requires the entity to disclose any information to that business in order for it to provide services.
As a result, regulated entities are looking to impose CPS 234 standards on many businesses that would not have anticipated a need to comply with such rigorous standards. This includes obligations around the classification of information assets and the extent of the security capabilities and controls. This also includes requirements around the use of third parties by those businesses. Given the extent of the obligations and the likely costs to comply, it remains to be seen what steps businesses are willing to take towards compliance and the response by regulated entities and APRA to the steps taken.
The uncertain road ahead, but in the right direction?
We predict that the CPS 234 obligations that regulated entities are imposing on third parties will become a point of some contention. It will be difficult for a number of third party businesses to comply with those obligations, and regulated entities will effectively be caught in the middle, as they will not be able to themselves demonstrate compliance with obligations imposed on them as to their third-party arrangements.
Given the volume of cyber incidents that have stemmed from deficiencies or failures in systems of third party providers and suppliers, the obligations sought to be imposed by CPS 234 comprise an understandable development in the right direction from the perspective of enhancing general cyber resilience across industries.
It remains to be seen, however, whether businesses can realistically comply with those obligations at this time or if intermediate steps need to be developed that will ultimately facilitate compliance with CPS 234.