Navigating InfoSec Requirements of APRA CPS 234

By Jasper Chik, Sr. Solutions Engineer, AppOmni

There’s a saying I’ve heard from many cybersecurity professionals: “Following good security compliance standards does not necessarily lead to good security outcomes.” This paradox might remind some readers of the words a defiant Han Solo shares while navigating a dense asteroid field: “Never tell me the odds.” Whether or not you’re a Star Wars fan, we all recognize that cybersecurity standards or frameworks aim to provide good assurances against security risks. But odds are you’ll encounter a security incident at some point due to so many variables outside your control. And this is where Australia’s APRA CPS 234 standard comes into play.

What is the APRA CPS 234 Standard — And How Does It Affect Australian Financial Services?

The Australian Prudential Regulation Authority (APRA) created this standard with the stated goal of protecting the interests of Australian depositors, policy holders, and superannuation fund members. APRA CPS 234 standards apply to the following entities that operate in Australia:

  • Insurers
  • Superannuation (retirement) funds
  • Credit unions
  • Building societies
  • Local and foreign banks

For these financial services providers, proving compliance is a matter of gaining or retaining your banking and trading licenses. APRA uses this enforcement mechanism to ensure its standards of “good” information security capabilities are taken seriously by the industry it regulates.

CPS 234 started as a guideline (CPG 234) and quickly evolved into a standard. Given the growing number of cyberattacks and threats against the financial industry, APRA wanted to address the risks facing the financial systems that underpin this country. Regulators also recognized that the industry’s move to platforms such as the public cloud and third-party suppliers/providers means new and sophisticated threats will emerge.

Released in July 2019, the standard came with impeccable timing. Not only did COVID-19 force most industries to operate fully online nearly nine months later in order to keep conducting meaningful business, it also increased both the volume and impact of threat actors attacking these industries. These attacks included critical infrastructure organizations.

Considering how interconnected and digital our lives are today, CPS 234 had suddenly forced once reluctant organizations to implement robust security controls, quickly evolving from a “nice to have” into a “need to have.”

What Does the CPS 234 Standard Require?

The CPS 234 standard itself is relatively brief and non-prescriptive. It mandates four key requirements of its members:

  1. Define the governance standard within the entity, who is responsible, and what role they play in maintaining the information security standard.
  2. Maintain an information security capability commensurate with the size and extent of the threats to its information assets, so that the entity can continue sound operation.
  3. Implement controls to protect said information assets commensurate with the criticality and sensitivity of those information assets, including undertaking systematic testing and assurance for security control effectiveness.
  4. Notify APRA of any material information security incidents.

As numerous organizations have moved — and continue to move — critical business operations and sensitive data to SaaS platforms, the need to examine SaaS providers’ CPS 234 compliance is crucial.

The data entrusted to SaaS providers forms part of your organization’s business operating capability. As such, the information security capability of those SaaS providers must be evaluated, measured, and continuously assessed.

How Is SaaS Security Currently Handled?

Many financial services and insurance organizations evaluate SaaS security once or twice a year, and the process is typically outsourced. But what happens in between those tests?

SaaS configurations change frequently. For example, new Salesforce data schemas (such as objects and records) are constantly updated. Similarly, Microsoft Sharepoint files, folder structures, and users change often. Code repositories in Github are continuously evolving. Human capital data in Workday changes as staff do.

Moreover, there is always a tension between security and business agility. New roles, new administrators, and new permissions are granted access to these SaaS apps to keep business running smoothly. These seemingly benign changes can easily expose sensitive information into unintended internal groups — or worse, external groups.

How Can Organizations Continuously Assess Their SaaS Security Posture?

I have heard application security consultants say it’s pure luck that some organizations haven’t been breached yet due to the security settings or permissions in their customer’s SaaS platforms. That’s why I recommend organizations that store or access critical and sensitive data in public SaaS applications ask themselves:

  • What visibility or assurance do I have into the security posture of my SaaS platforms?
  • How are the security controls for these SaaS platforms currently evaluated?
    • How thorough is that evaluation?
    • How often do evaluations take place?
  • How do these security controls align with my security framework?
  • What risks do SaaS third-party plugins or integrations carry?
  • Will the security controls I have in place sufficiently protect my organization at any stage of the application lifecycle – onboarding, business as usual, offboarding?

Bug bounty programs can shed light on vulnerabilities and exploits that exist within a SaaS platform. There is, however, a point of distinction to be made between the two. Vulnerabilities are simply weaknesses in a software system. Exploits are a way of leveraging vulnerabilities in order to achieve a defined objective of the threat actor.

Can AppOmni Help My Team Achieve SaaS Compliance for CPS 234?

AppOmni’s AO Labs researches SaaS platforms to gain deep knowledge of how to exploit software vulnerabilities as well as misconfigurations introduced by users. These findings are codified into analytical modules that automatically detect when a customer’s SaaS tenant presents these weaknesses. Rather than being identified during sporadic tests, these findings are exposed within minutes of ingesting the SaaS data for analysis.

This ingested data is then continuously monitored against a set of policies crafted to common cybersecurity frameworks and standards such as APRA CPS 234. By mapping to compliance frameworks, you will get (near) real-time insights of how your SaaS deployments are tracking against compliance.

AppOmni is committed to securing our customers’ SaaS platforms through the continuous evaluation of security controls against the most up-to-date customer configuration and data from all your SaaS platforms. And with our threat detection capabilities that look for suspicious or anomalous SaaS behavior, your odds are far better for maintaining CPS 234 compliance.

Related Resources