Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Complying With APRA CPS 234 Third-Party Requirements

5 min read
Featured Image

Financial services across the world are typically common targets for cyberattacks, data breaches, and other third-party cyber incidents. To protect organisations and individuals from these growing threats, regulators such as the Australian Prudential Regulation Authority (APRA) have issued standards on information security practices that can be built into third-party risk management (TPRM) programs.

In 2019, APRA implemented Prudential Standard CPS 234 Information Security (CPS 234), which aims to keep regulated industries resilient against cybersecurity incidents. These APRA-regulated industries include organisations such as foreign and domestic authorised deposit-taking institutions (ADIs), domestic and Category C general insurers, life companies, and private health insurers.

CPS 234 offers a straightforward list of requirements on defining roles and responsibilities, maintaining information security capabilities, testing a control’s effectiveness, and more. Here’s an overview of those requirements and some practical tips that can help your organisation’s TPRM program comply with APRA’s standards.

Note: Text taken directly from CPS 234 is noted in italics.

APRA CPS 234 Information Security Third-Party Requirements

One of the main objectives of CPS 234 is to reduce the likelihood and impact of security incidents involving information assets managed by related parties or third parties. Information assets refer to information and information technology, including software, hardware and data (both soft and hard copy)

The following third-party requirements from the standard are intended to protect the confidentiality, integrity, and availability (CIA) of information assets:

  • Assessing information security capabilities – Organisations must determine whether their third parties have the resources, skills, and controls needed to protect their information. Working with a third party that has unskilled workers or insufficient resources to mitigate cybersecurity risk could increase the likelihood of an incident that negatively impacts your organisation.
  • Implementing security controls – An organisation’s information assets must be protected by controls, even when those assets are managed by a third party. These controls should be appropriate for the potential vulnerabilities and threats that exist, as well as the assets’ criticality and consequences of an incident. 
  • Evaluating controls – A third party’s controls must be evaluated by the APRA-regulated entity to ensure they’re designed well and operate effectively. Security controls that are inadequate or non-functional aren’t capable of protecting information assets. 
  • Reviewing control testing – Organisations must also evaluate whether their third party is testing their controls at an appropriate frequency. For example, consider a third party’s incident response plan that hasn’t been tested in over two years. The third party may have implemented a new system or process since the last test, making their plan ineffective. 

comply apra cps 234 third-party requirements

4 Tips to Comply With APRA CPS 234 Third-Party Requirements

Understanding how to comply with CPS 234 can seem overwhelming, especially if your organisation has limited TPRM resources and expertise. Fortunately, CPS 234 compliance can be simple to achieve by following some best practices that are foundational to TPRM. 

Here are 4 tips to consider:

  1. Complete an inherent risk assessment – Before you can begin implementing the CPS 234 standards, you’ll need to know which of your third parties have access to your information assets. An inherent risk assessment is one of the first steps within the onboarding stage of the TPRM lifecycle, but should also be reviewed periodically throughout the third-party relationship. This is typically a questionnaire completed internally by the vendor owner, which will identify the inherent risk and criticality of each third-party relationship. Third parties that have access to or store information assets are generally rated as high risk.

    Pro Tip: Criticality is separate from a risk rating. It determines the business impact on your organisation if a third party’s product or service were to suddenly stop or cease to exist. 

    If the answer is "yes" to any of the following questions, you're likely dealing with a critical third party:
    • Would our operations be significantly disrupted if we suddenly lost this third party?
    • Would our customers be impacted if we suddenly lost this third party?
    • Would our operations be significantly disrupted if the third party’s service was down for more than 24 hours?
  2. Include information security in due diligence – It’s essential to collect and review relevant information security documents throughout the due diligence process to better understand your third party’s capabilities of protecting your information assets. Consider which documents you may want to review to assess their capabilities around preventing, detecting, and responding to an incident. 

    Some examples may include evidence of regular vulnerability, penetration, and social engineering testing and results. The third party’s encryption standards and data retention/destruction policies are also helpful to review, as well as a documented and tested incident response plan.
  3. Assess third-party information security controls – Engage a qualified subject matter expert (SME) to assess the third party’s information security controls for effectiveness. For example, a SME may assess specific incident detection controls, such as firewalls, anti-malware, or patch management practices, to ensure they’re working as they should. The SME should document whether any controls are ineffective or missing, as well as any recommendations on moving forward or declining the third-party relationship.  
  4. Review third-party control testing – Certain information security controls like incident response plans must also be tested regularly to ensure they remain effective in the event of new or changing risks. Information security threats are continuously evolving and becoming more sophisticated, so it’s essential that organisations and their third parties are prepared to respond. CPS 234 states that regulated entities must review testing at least annually or when there is a material change to information assets or the business environment. Organisations should report to the board of directors if testing results reveal any issues that can’t be remediated in a timely manner.

As organisations continue to rely on third parties to manage information assets, it’s important to recognise the risks and implement practices to strengthen operational resilience against security incidents. CPS 234 offers a strong foundation for developing an effective cybersecurity program that includes third-party relationships.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo