Robert Neely and Lisa Fitzgerald recently addressed some of Australia's highest profile chief technology officers (CTOs) in relation to information security obligations under APRA standard CPS 234 as either regulated APRA entities or corporates adopting the prudential standard as best practice. Here is some of their guidance.
Managing regulation in an environment where not all parties in your supply chain or outsourcing arrangements are bound by CPS 234, is one of the challenges facing many businesses in implementing this relatively new prudential standard. Essentially, the regulated entity needs to ensure that its service providers are complying with the standard when managing information assets, as if they were regulated.
The following are some key considerations for regulated entities to apply in the context of their supplier contracts.
First, determine if the third-party service provider is involved in managing information assets. Unhelpfully, no guidance is provided in CPS 234 in terms of the meaning of "managing". However, if there is an element of control exercised by the third party over those information assets (including, we would suggest, if the third-party service provider is hosting an application through which data is processed), there is likely to be management of that information.
Second, as third-party suppliers may not be APRA-regulated, a contractual commitment to comply with CPS 234 is necessary. One significant problem to overcome is the fact that those suppliers are unlikely to be in a position to determine the "what" or "how" of such compliance for the particular entity whose information assets they are managing. Therefore, the contractual arrangement will need to be predicated on close consultation between the parties about the information to be managed and the most appropriate security measures for those assets during the information lifecycle.
Third, consider whether the prudential standard relating to outsourcing, CPS 231, may also apply. This standard applies where the information management role performed by the third party is a "material business activity" of the organisation. CPS 231 is more prescriptive. It identifies the minimum contractual requirements for such outsourcing arrangements, from defining the scope of services, to service levels, the inclusion of specific indemnities to cover sub-contracting arrangements, and a requirement to consult with APRA prior to entering into any offshoring arrangement which may well form part of an information management service that is cloud-based, such as those utilising Azure or AWS services.
Finally, satisfying CPS 234 itself will require:
- evaluation of the design of the third party's information security controls. This will include but will not be limited to ISO 27001 certifications. The third party's assurance practices are likely to be key to this obligation.
- reporting of information security incidents (both to the Board and then to APRA). This will require adequate and regular monitoring to detect such incidents and as such should form part of the contractual terms (incorporating adequate governance procedures). These obligations should also accommodate other reporting obligations that may be triggered, such as to the ASX as part of a listed entity's continuous disclosure obligations or the OAIC for eligible data breaches.
- reporting of control weaknesses. This will again require monitoring and testing in order to detect such control weaknesses and will also need to be built into the contractual terms and perhaps managed most effectively through the appointment of an auditor.
- working with a living contractual document. CPS 234 obligations are not static, but move in line with evolving threats and the changing status of the information itself throughout its lifecycle, according to its criticality and sensitivity and its potential in the event of its compromise to have financial and/or non-financial effect. An example of the changing status and potential for financial or non-financial impact is, in a banking context, a closed bank account versus active bank accounts. The data in each scenario will have a different criticality and sensitivity classification and potential to cause financial or non-financial harm. The closed account is likely to justify a lower classification compared to the open account, which may justify a difference in treatment throughout the lifecycle of that information.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.