Third-Party Risk Management: In the Hot Seat with APRA
On November 7, 2018, the Australian Prudential Regulation Authority (APRA) released the final version of its prudential standard on information security management in the financial services industry.
APRA’s Prudential Standard CPS 234 requires APRA-regulated entities to:
Clearly define information-security related roles and responsibilities;
Maintain an information security capability commensurate with the size and extent of threats to their information assets;
Implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
Promptly notify APRA of material information security incidents.
Whether it’s the local impact of global trade wars, exposure to cyber threats or the elephant in the room, coronavirus, organisations need not look far for potential risk. But now, APRA regulation is placing a spotlight over Information Security as a growing area of concern for Australian authorities. With more and more of the world turning to digital solutions and all it’s benefits, legislation of this nature will continue to roll out globally in the 2020s. In regards to ensuring effective cybersecurity measures, companies should focus on three key priorities:
1) Don’t be distracted by the noise and keep a tight focus on the basics (i.e. patching, passwords, backup).
2) Plan for the unexpected but inevitable (i.e. cyber insurance, data breach contingency planning).
3) Revisit access controls, and ensure individual processes and cyber systems are airtight. A breach is inevitable, but becoming a headline doesn’t have to be.
Why now? Data is not new
According to APRA Executive Board Member Geoff Summerhayes, this new APRA standard comes off the back of an increasing number of cyber breaches among Australian businesses. CPS 234 is meant to outline to Australian businesses the minimum standards necessary for managing information security, placing the ultimate responsibility for information security with the board.
‘A significant information security breach at an APRA-regulated entity is almost certainly a question of when – not if. In a worst-case scenario, a major breach could even force a company out of business. As a result, APRA is fast-tracking implementation of this standard, and expects all regulated entities to meet its requirements by 1 July,’ Mr Summerhayes said.
In particular, financial services businesses are being targeted with a growing frequency and sophistication. ‘By introducing CPS 234, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face.’
Mandatory notification laws…just the beginning
2018 could easily have been called the year of cyber legislation. We saw the European Union’s GDPR (General Data Protection Regulation) come into effect around this time last year (July 2018). This meant businesses were required to report breaches to authorities within 72 hours or risk being fined up to €20 million (AU$31.6 million) or 4% of revenue.
Locally, the Notifiable Data Breaches (NDB) scheme accumulated nearly 1,000 data breach notifications between March 2018 and March 2019. These figures are only set to increase as more companies and consumers are targeted by cybercriminals.
Who’s in the hot seat this time?
The financial services industry will continue to be the centre of attention. This should come as no surprise, given the public shadow cast by the Banking Royal Commission.
In March 2018, Geoff Summerhayes gave a speech titled ‘Computer terminal velocity: APRA’s response to an accelerating risk’. We’d like to draw your attention to this great quote:
The Prudential Standard CPS 234 aims to ensure that APRA-regulated entities take measures to safeguard against information security incidents, including cyber attacks. The key highlights from this include:
a) ‘The Board…is ultimately responsible for the information security of the entity.’
b) ‘Where information assets are managed by a… third party, the… entity must assess the information security capability of that party, commensurate with the potential consequences of an… incident.’
c) ‘[The]…entity must test the effectiveness… through a systematic testing program.’
d) ‘[They] must have robust mechanisms in place to detect and respond to… incidents.’
e) ‘[An entity] must notify APRA… no later than 72 hours after becoming aware of an… incident.’
Cyber: Your business advantage and competitive differentiator
In 2018, we saw numerous examples of consumers and businesses recognising the measurable business value of a sound cybersecurity program. In yesterday’s world, cybersecurity was a cost and often considered a necessary evil. In today’s economy, it’s one of the key variables to drive top-line revenue growth.
The Prudential Standard CPS 234 highlights the critical role of third parties and their cybersecurity posture. Even some of the world’s most experienced managed service providers (MSPs) and cloud service providers have been targeted by breaches in their supply chain.
MSPs are typically trusted by other firms to store, process and protect commercial data. But a large-scale successful attack on IBM, for example, could realistically bring entire industries to a standstill.
Cybersecurity posture an increasingly critical factor
So, if you provide services to another business, expect the questions about your cybersecurity program and posture to increase.
By as soon as 2020, Gartner predicts that 60% of organisations engaging in mergers and acquisitions will consider cybersecurity posture a critical factor in their due diligence process. That’s up from less than 5% in 2018. The way in which businesses, consumers and regulators perceive and interact with third-party cybersecurity risks continues to evolve.
Today, the threat of a data breach from any industry, let alone within financial services, is constant. Managing the risks and obligations specific to your business will only become more difficult in time. Consumer protection will remain a top priority for regulators and will ensure the continued expansion of associated regulation.
How can businesses address this?
Soon enough, businesses across all industries will be expected to maintain sophisticated cybersecurity postures and systems in order to combat the growing threats of the digital economy.
That’s where 6clicks comes in. 6clicks is a breakthrough Software-as-a-Service (Saas) platform for risk assessment, designed to transform how businesses assess and manage risk within their organisation and across their supply chains.
Or schedule a call with Andrew Robinson, 6clicks Head of Cybersecurity.