APRA’S New CPS 234 Prudential Standard: What You Need To Know Now
Ray Giblett from law firm Norton Rose Fulbright and Alex Turner from SS&C Intralinks demystify recent regulations concerning the security of information assets.
19 January 2021
The objective of APRA regulation CPS 234 is to minimize the likelihood and impact of information security incidents on confidentiality, integrity or availability of information assets. An organization’s obligations under CPS 234 also applies to information assets managed by third parties or outsourcing providers and their partners.
CPS 234 came into effect on July 1, 2019. For information assets managed by third parties, this has taken effect as of contract renewal or from July 1, 2020.
Ray Giblett from Norton Rose Fulbright and Alex Turner from Intralinks answer some questions regarding the ins and outs of CPS 234, particularly in the wake of upheavals caused by the mass migration to remote access of information in 2020. Their answers come from a legal and technological perspective, respectively.
Just over a year since the regulation became effective, what have we seen?
Ray Giblett: While many financial services firms have made good progress in identifying gaps in policy and have started working toward full compliance, there is, however, still a lot to be done, particularly in relation to third-party providers (underwriters, claims handlers, etc). A number of challenges, primarily the COVID-19 pandemic and its many impacts, has seen APRA extend the deadline for compliance to 2021 on a case-by-case basis.
Alex Turner: Cyberattacks have increased in frequency, sophistication and impact since the introduction of CPS 243. Particularly in the context of COVID-19, perpetrators – “bad actors” – are continually refining their efforts to compromise systems, networks and information as measures to halt the spread of the virus have forced a vast majority of organizations to do their jobs remotely since the second quarter of 2020.
Can you tell us a bit more about how CPS 234 has been affected by COVID-19?
Ray: Specifically, where CPS 234 is concerned, many project teams were forced to shift their focus away from compliance and pivot to other urgent requirements to facilitate remote working such as onboarding new partners and ensuring adherence to many existing obligations. Recognizing the complexity and challenges for a number of entities and organizations, APRA announced, in light of COVID-19, it will consider requests for a six-month extension to January 1, 2021, giving businesses more time to comply.
Alex: COVID-19 has had many impacts on organizations and their CPS 234 obligations. The speed and the severity with which the pandemic swept through communities meant that many businesses and social services were forced to re-prioritize vital processes at short notice. For example, IT departments were forced to divert their resources to establishing the functionality and scale to securely enable employees to work remotely, which involved accessing and protecting sensitive information.
What are the biggest challenges posed by CPS 234?
Ray: The requirements of CPS 234 sound relatively straightforward. However, they can present challenges for businesses when it comes to translating the regulatory provisions into practice. From a legal perspective, there’s no one-size-fits-all approach and, in some respects, the obligations can be vague. It’s important that organizations are clear on how their approach conforms to the provisions of CPS 234, and specifically, how their external partners’ practices and standards meet your expectations of what compliance means. Cooperation, communication and collaboration are essential in meeting these challenges.
Alex: While many organizations, like banks and insurers, have information governance systems and project teams committed to the adherence to CPS 234, identifying where their digital assets sit, what types of systems are being utilized – and how that flow can be managed – has been a major challenge.
Another set of significant challenges lies in ensuring that third parties and related parties meet and adhere to their CPS 234 obligations. It’s not just APRA-regulated firms that have to adhere to CPS 234; it’s associated entities, by proxy, that have an obligation as well. If an APRA-regulated firm is dealing with someone who would normally fall outside the scope of CPS 243, they too are now being scrutinized in a way that hasn’t happened before.
What is the key to successfully abiding by the regulation?
Ray: It’s important that organizations work to identify potential gaps and weaknesses in their current processes and capabilities. Once the organization’s gaps are identified, a pragmatic plan has to be developed that adequately addresses the governance weaknesses identified (auditing and testing) and using the right technologies. Partnering with an IT provider who understands the requirements and challenges that go with properly adhering to CPS 234 is an essential quality to look for in any external partnership.
Alex: As well as identifying weaknesses and gaps, ongoing follow-ups, like monitoring and quality assurance with internal teams (if your organization’s size allows, of course), as well as broader industry engagement and collaboration, will be part of successfully adhering to your organization’s CPS 234 obligations. In terms of IT, the importance of ongoing auditing and testing, as well as having a clear policy of what adherence entails from top to bottom, can’t be understated.
How can companies ensure their data is being managed properly with their third-party suppliers?
Ray: As well as protecting data from an IT perspective, there’s a number of ways to ensure the integrity of data management by third parties from a legal perspective. One way is to engage industry experts and consultants to:
- Conduct due diligence on any vendor that has access to your digital assets (i.e. can they do the job?);
- Ensure your contracting requirements are adequate and they provide testing and auditing rights (CPS 234 cannot be treated as set-and-forget);
- Provide independent advice on your remedies and indemnities for liabilities or losses that might arise from any potential data breach;
- Explore whether a cyber insurance product might be an appropriate policy for your organization to purchase.
Alex: In ensuring your data is being properly managed by your third-party providers, you should identify what and where your digital assets are, making sure you engage vendors who have or will have, the proper certifications such as ISO:27001, SOC 1, SOC 2, SOC 3 and so on. There are various accreditations, audits and quality standards that are globally recognized that you can look out for, and consequently ask your vendors to apply to their business, to make sure that they meet obligations.
Have there been any wins seen since CPS 234?
Ray: From a longer-term perspective, CPS 234 will be a win for organizations as they mitigate the risks of data breaches, which could compromise the security of businesses and expose them to significant legal challenges and financial liabilities.
Alex: This new standard holds businesses more accountable and, therefore, has to be considered a win for customers because of the peace of mind and improved integrity relating to the storage and transmission of their information and data.
Do you think all required organizations are fully compliant with the regulation?
Ray: Significant work has been done but very few organizations are all the way there. Full compliance is an ongoing project of constant assessment of risks as policies, new practices and challenges emerge.
Alex: While there has been a number of challenges for businesses to meet their CPS 234 obligations while managing significant workplace restructuring in the wake of the COVID-19 pandemic, the focus on compliance remains a priority within many organizations.
Ray and Alex recently participated in a webinar convened by Norton Rose Fulbright on the state-of-play on industry preparedness to meet CPS 234 obligations. Other participants in the webinar included Timothy Chan, an associate at Norton Rose Fulbright. Watch the webinar in its entirety here.
Alex is the head of the Australia-New Zealand (ANZ) region. An experienced leader with a background in computer software, SaaS and secure document exchange, he leads ANZ’s sales, operations, go-to-market strategy and reporting.