APRA CPS 234: Best Practices for Meeting Third-Party Risk Management Requirements

APRA CPS 234 Information Security Guidelines for Third-Party Risk Management

The APRA standard is organized into several categories of requirements. We have identified the most applicable to third-party risk management and best practice capabilities that can help meet the requirements.

Roles and Responsibilities

This category includes provisions that require companies to identify who in their organization is responsible for information security and what functions they perform. It encourages the formation of cross-functional teams to provide proper oversight, and governance from the board of directors.

To ensure that third-party risk management is a key component of an overall information security program, build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, risk and compliance programs based on proven best practices and extensive real-world experience. As part of this governance program, your internal teams should define:

• Clear roles and responsibilities (e.g., RACI)
• Third-party inventories
• Risk scoring and thresholds based on your organization’s risk tolerance
• Assessment and monitoring methodologies based on third-party criticality
• Fourth-party mapping
• Sources of continuous monitoring data (cyber, business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Governing policies, standards, systems and processes to protect data
• Compliance and contractual reporting requirements against service levels
• Incident response requirements
• Risk and internal stakeholder reporting
• Risk mitigation and remediation strategies

Be sure to look at every stage of the third-party lifecycle – from sourcing and due diligence, to termination and offboarding – to align expectations with your organization’s risk appetite.

Information Security Capability

This category includes requirements to regularly assess the information security capability of third parties and continuously monitor threats.

To assist in automating what can be a very cumbersome process, consider:

• Leveraging multiple third-party risk assessment types backed by workflow, task management and automated evidence review capabilities. This level of flexibility will help your team address the risks that matter most to the organization.
• Monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. This helps to maintain a continued focus on risks in between assessments.
• Correlating monitoring data with assessment results in a unified risk register for each vendor, which streamlines risk review, reporting and response initiatives.
• Building a library of remediation recommendations based on risk assessment results to ensure that third parties address risks in a timely and satisfactory manner.

If you are faced with limited resources and expertise, you can outsource the management of the third-party risk lifecycle – from onboarding vendors and collecting evidence, to providing remediation guidance and reporting on contract SLAs. As a result, you reduce vendor risk and simplify compliance without burdening internal staff.

Policy Framework

The Policy Framework category requires companies to maintain a security policy and ensure that internal teams and third parties are aware of it and adhere to it, and that it is regularly evaluated.

Since compliance can be tricky and time-consuming, leverage an assessment methodology that maps to leading information security governance frameworks such as ISO. With this capability, you can visualize and address compliance requirements in the framework that is most applicable to your organization.

Information Assets Identification and Classification

This CPS 234 category requires APRA-regulated entities to classify their information assets, including those managed by related parties and third parties, by criticality and sensitivity.

To jump start this process, define a methodology for tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification should include the following attributes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Implementation of Controls and Testing Control Effectiveness

These categories require companies to have information security controls to protect information assets, including those managed by related parties and third parties; that they are commensurate with the risks applicable to the company; that their design is regularly tested; and that deficiencies that cannot be remediated in a timely manner are escalated to the board or senior management.

Start by reviewing third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place. Then, map the responses to common frameworks such as SIG, ISO or SOC 2 to simplify their evaluation and track remediations to completion.

Incident Management

This category requires APRA-regulated entities to have policies and procedures in place to detect and respond to information security incidents in a timely manner, including escalation, reporting, and regular review of policies.

Having a tested and proven incident management process in place is essential for accelerating incident discovery and mitigation. Key steps include centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance.

Internal Audit

This APRA CPS 234 category says that internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties (information security control assurance); and that information security control assurance should be provided by personnel appropriately skilled in providing such assurance.

Standardize information security assessments against SOC 2, Cyber Essentials, ISO, or other information security control frameworks. This approach provides internal audit and IT security teams with a central methodology for measuring and demonstrating adherence to internal IT controls. These same assessments are also used to assess the information security controls of third parties, delivering a consolidated, inside-out view of information security.

APRA Notification

The final category of the APRA 234 standard requires APRA-regulated entities to notify APRA within 72 hours after becoming aware of a material information security incident, and within 10 business days after it becomes aware of a material information security control weakness that cannot be remediated in a timely manner.

Meeting this requirement is all about producing effective reporting. Machine learning (ML) analytics helps by revealing risk trends, third-party risk status and exceptions to common behavior that might not be obvious with simple spreadsheet-based reports. This level of analytics help you to visualize and address compliance requirements by automatically mapping assessment results to regulatory and industry frameworks, and produce regulatory-specific reporting in a fraction of the time that is normally devoted to manual, spreadsheet-based risk assessment processes.

How Prevalent Helps Address APRA CPS 234 Information Security Guidelines for Third-Party Risk Management

Prevalent can help your financial services organization add governance and oversight to its third-party relationships by:

• Building a comprehensive, agile and mature third-party risk management program based on proven financial services industry best practices
• Automating the identification and assessment of third parties based on their criticality to the organization
• Assessing and continuously monitoring for cybersecurity, business, financial and reputational risks
• Measuring against key risk indicators (KRIs) and delivering remediation recommendations to reduce third-party residual risk
• Automating controls validation processes to ensure key controls are in place and operating as planned
• Reducing incident response and risk mitigation timelines through automation and continuous monitoring
• Including templates to simplify regulatory and security framework audit reporting to multiple internal and external stakeholders

For more on how Prevalent can help address the third-party risk management requirements in this standard, download the comprehensive APRA CPS 234 compliance checklist or request a demo today.