APRA’s CPS 234 and Supply Chain Compliance: FAQs

In June 2020, NCC Group Australia hosted a webinar on APRA’s CPS 234 Information Security Standard (“CPS 234”), addressing supply chain risk management and compliance, as well as how to apply for the deadline extension. Our hosts were Joss Howard, Cyber Security Senior Advisor, and Andrew Brewer, Regional Head of Risk Consulting, at NCC Group. In addition to sharing their expertise in the webinar, they have also provided responses below to the questions asked by attendees on CPS 234 compliance and the process for ensuring that supply chain risk is managed effectively. We hope you find them helpful on your path to CPS 234 compliance, and if you require any further assistance please reach out to our Sydney team on +61 (0) 2 9552 4451.

CPS 234 Extension and Compliance

Does the deadline of 1 January 2021 apply to all suppliers, or just those that present a material risk to an entity?

The deadline only refers to those suppliers that present a material risk to a regulated entity as defined by the Prudential Standard CPS 231 (Outsourcing) and CPS 234 (Information Security). Therefore, regulated entities must ensure that they assess the supply chain risk for in-scope material suppliers by 1 January 2021, where an extension has been granted. If you are a supplier that falls into this category then you should expect the regulated entity to request a response on how you are protecting its information assets through the implementation of security controls.

How long would it take to achieve compliance if you haven’t started yet?

A CPS 234 gap assessment takes between 7–12 days depending on the size of the regulated entity. This will identify gaps in compliance. How long it would take to implement additional controls to meet the CPS 234 clause requirements and close these gaps is dependent on factors such as resources available, budget etc. Therefore, it is difficult to give accurate timeframes; we suggest starting with the gap assessment to determine your current position.

In terms of timeframes to assess material suppliers, it takes around 2-3 weeks to embed a framework if using the support of an external service provider. Suppliers should then be given 3-4 weeks to a respond to a questionnaire or provide an alternative from of assurance of its security controls. Therefore, it is likely to take at least 6-8 weeks to assess all your material suppliers and identity risks. These timeframes are dependent on the size of the regulated entity and the number of suppliers to be assessed, if you haven’t started then it is advised that you get started straight away.

What are the consequences of non-compliance and how strict will APRA be after the deadline passes?

Although APRA doesn’t currently financially penalise entities for non-compliance with standards such as CPS 234, the consequences are broader than that. Entities need to ask themselves if they want to face the risks without the proper protection in place. Do you want to risk losing your licence? Do you want to end up in the media for negative reasons, and to lose the trust of your customers?

In terms of how firm APRA will be, that’s a question for your supervisor. But, the current deadline of 1 July 2020 has been in place for nearly a year now so they will expect you to have achieved at least something by the end of June 2020. How strict will APRA be after the deadline passes? It is not known, but what we’re sure of is that you probably don’t want to be in the position to find out!

Supplier Assessment Process

What standard or framework do you recommend a supplier risk assessment questionnaire be based on?

The best option is to align your questionnaire to your own internal policies and standards where they exist. International standards or frameworks don’t typically lend themselves to creating good questionnaires. Therefore, rather than aligning to anyone of these directly, you are best to focus on your own policies or industry best practices.

What do you do if suppliers don’t complete the questionnaire?

There will be instances where suppliers refuse to respond to questionnaires, particularly those suppliers that have several thousand customers globally. This is why it’s important to establish a documented process and policy for your organisation with information on alternative methods that can be used to assess supply chain risk in these circumstances. This could be reviewing audit reports or other equivalent documents provided by suppliers.

How often should you assess suppliers?

This criteria should be documented in internal policy, but as a guideline, an annual assessment of Tier 1 suppliers is probably necessary. For Tier 2 suppliers you may decide to assess every two years and for Tier 3 you may decide that no assessment of these suppliers is required as the risk is within business appetite.

What would a good annual review look like?

This could be resending out the questionnaire received from the supplier in the previous year and getting them to validate the responses and highlight any changes. You should also request to view any latest certificates or audit reports that have been conducted since the previous assessment. You will find that the annual review process is much less effort than the first year in almost all cases.

Would you recommend the use of any third-party tools or platforms to assist with vendor assessment?

We generally recommend a consultancy approach over just platforms, but you can use both as most consultancy businesses have a platform that they use to manage supplier assurance programmes. The main issue when using a commercial-off-the-shelf platform without consultancy is that you don’t get your own embedded framework. At any point in the future that you no longer want to use this platform, you’re essentially left with nothing. A consultancy will help you to establish an internal framework that will become embedded within your business and which you’ll have for life. So while it might be slightly more cost up front to use a commercial platform, it’s more cost-effective in the long run to have your own embedded framework. We can help you with this, to learn more reach out to our team.

What is the internal auditor’s role in assessing the controls of suppliers that are ISO 27001 certified? What about those suppliers that aren’t ISO 27001 certified but provide assurance from another third party?

The internal auditor should still assess the supplier’s security provisions to ensure that the regulated entities material risk is not compromised. ISO 27001 certificates can be used to support this assessment but not necessarily used independent of other assessments or audit conducted by the internal auditor where required. This is because APRA expects a regulated entity to assess that the supplier’s security controls are commensurate with the potential consequences of an information security incident affecting its information assets. APRA does not consider it sufficient for a regulated entity to rely on the supplier’s own regulatory oversight requirement as an indicator that the supplier has the capability to protect the entities information.

For organisations that aren’t compliant with ISO 27001, but provide assurance that has been independently verified by a third party, then it would be a case of assessing this report and deciding if it is sufficient to provide assurance that the supplier has the information security capability to protect the entities information assets. Regulated entities should not assume that achieving ISO 27001 certification automatically means that you are compliant with CPS 234.   

Suppliers

If a supplier is not an APRA-regulated entity, are they directly required to comply with CPS 234?

As a supplier providing a service or processing information on behalf of a regulated entity, you don’t need to comply with CPS 234 (unless you’re considered an entity yourself). You will be expected to provide assurance to the regulated entity that you’re protecting their data sufficiently, have adequate security in place to support the service and are reducing the material risk to their data and operations.

What is your view about material suppliers that are shared by multiple regulated entities and may end up being assessed multiple times, by different entities seeking to assure compliance?

Ideally, you would expect key suppliers such as this to be proactive in providing assurance to all their regulated clients that they are managing risks appropriately. In other words, they should conduct their own CPS 234 assessment or equivalent that has been validated by an independent third party and is sufficient to provide to all regulated entities to demonstrate current compliance status or security posture. This should be accepted by the regulated entity and prevent suppliers having to complete multiple questionnaires. We believe this should be the ideal end goal for all regulated entities and suppliers to ensure this process is the most effective.

How would you recommend a supplier set themselves up so they don’t have to answer questionnaires from each client?

As mentioned above, the best option would be to get external help to validate your controls and provide that output to your regulated clients rather than responding to questionnaires. At most, the regulated entity may require some follow-up responses or validation to be provided. The type of engagement will be based on the size or your business and how much material risk you pose to your regulated clients. If you have conducted a sufficient engagement with a reputable service provider to validate your controls, then there is no reason why it wouldn’t be accepted by the regulated entity.

If the attestation is provided in the form of ISO 27001 and penetration test, would this be sufficient as a supplier to assure regulated entities that we’ve designed and implemented security controls effectively?

It comes down to what regulated entities are willing to accept dependent on the material risk the supplier poses to the business. If you’re a supplier who presents a very low risk to that entity, then the letter of attestation may be sufficient for them. If you’re a higher risk supplier, it may not be enough. The triage process and process document are there to identify what inherent risk each supplier poses and what is needed to reduce risk, aligning to the requirements of CPS 234.

About NCC Group

As a supplier, how is NCC group engaging with their clients, especially around amendments to current contracts?

Entities should be proactively asking suppliers how they protect their data regardless of the new standard. Obligations around information security are usually already built into contracts so there’s no particular need to mention CPS 234 directly. To actually say to a supplier that they must comply with CPS 234 would be really difficult as it’s not the supplier’s responsibility to comply, unless of course they fall into the regulated entities as defined in CPS 234. Their responsibility is to provide evidence that they will reduce risk, which is generally a contractual obligation already.

At NCC Group, we’ve been asked by our clients how we would comply with CPS 234 and how that reflects in our contracts. Our contracts have been created to cover a range of global data privacy regulations and government security obligations for us to operate.

Is NCC Group’s attestation of supplier security posture recognised by APRA?

Our reports have been provided to APRA and we have received responses stating that there are no challenges. As a global cyber security firm having conducted many audits aligning to rigorous auditing standards, we are confident that our supplier assurance and attestation approach is sufficient to meet yours and APRA’s needs. We are open to discuss this further with APRA as this is an issue that needs to be addressed.

On the entity side, it’s up to a business to determine internally what process they take to meet the CPS 234 requirements and what third-party assessments they accept as sufficient assurance.

To understand how NCC Group can help you manage your supply chain risk and comply with APRA’s CPS 234 regulation, get in touch by emailing apac@nccgroup.com