What is APRA CPS 234?

Prudential standard CPS 234 requires an APRA regulated entity to demonstrate the maintenance of an information security capability that places ultimate responsibility for information security with the Board.

CPS 234 will also include the entity’s extended business environment, including third parties which manage its information assets. Specific requirements include:

  • Clear definitions of information security-related roles and responsibilities
  • Implementation of controls across the extended business environment, which are commensurate with the criticality of assets and the threat
  • Systematic testing and assurance of controls effectiveness

CPS 234 magnifies the importance of enhancing a more positive move towards stronger cyber security.

This mandatory regulation dictates APRA-regulated entities to make cyber security a necessity and to become resilient against information security incidents (including cyber-attacks).

The revised regulation comes into effect on 1 July 2019.

CPS 234 applies to all APRA-regulated entities. These include:

  • Authorised deposit taking institutions
  • Private Health insurers
  • Superannuation funds
  • General Insurers
  • Non-operating holding companies
  • Life Insurers
  • Registered financial corporations (RFCs)
  • Friendly societies

Obligations on entities under CPS 234 include:

Allocating roles and responsibilities

Clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals.

Information Security capability

An entity must actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment.

Policy Framework 

Maintain an information security policy framework which provides direction on the responsibilities of parties and is commensurate with the entity’s exposures to vulnerabilities and threats.

Information asset identification and classification

Implement robust mechanisms to detect and respond to information security incidents in a timely manner, including all relevant stages of an incident and escalation and reporting of information security incidents.

Implementation of Control

Information security controls must be in place to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with

  • Vulnerabilities and threats to the information assets
  • The criticality and sensitivity of the information assets
  • The stage at which the information assets are within their life-cycle
  • The potential consequences of an information security incident.

Incident Management 

Review and test information security response plans to ensure they remain effective and fit-for-purpose.

Testing Control effectiveness

The effectiveness of its information security controls must be tested through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with:

  • The rate at which the vulnerabilities and threats change
  • The criticality and sensitivity of the information asset
  • The consequences of an information security incident
  • The risks associated with exposure to environments where the APRA regulated entity is unable to enforce its information security policies
  • The materiality and frequency of change to information assets.

Internal Audit

Auditing Review the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.

Notify APRA as soon as possible (and no later than 72 hours) after becoming aware of an information security incident; as soon as possible (and no later than 10 business days) after becoming aware of a material information security control weakness which is expected to not be able to be remediated in a timely manner.

For more information visit: APRA CPS 234

What next?

CPS 234 commences on 1 July 2019, subject to the transitional arrangements.

With regards the new regulation, Sense of Security can help your organisation meet their CPS 234 compliance obligations. Certain areas that Sense of Security can help cover include:

  • Enterprise Cyber Security Review & Data Governance- In today’s ever dynamic world of cyber threats, it is essential that an organisation has an understand of where they are in relation to the security of their organisation. This is where an Enterprise Cyber Security Review (ECSR) is beneficial.

  • Incident Response Readiness Assessment – The Sense of Security approach is to first understand all we can about your Enterprise and your industry. Then we methodically inspect and assess the levels of Incident Response Readiness from different viewpoints. Some of our more mature clients only need general guidance to set them on the right path, while others need a plan built from scratch – including an Incident Response Plan, Roadmaps, and Playbooks. An Incident Response Readiness Assessment (IRRA)will provide you and your stakeholders with a clear picture of current capabilities. Importantly, it will identify improvements and provide a roadmap of prioritised objectives.
  • Vulnerability Management – Sense of Security has many years of experience in protecting enterprise networks through our effective threat and risk management programs. As a result, we can assist with the development of a vulnerability management process through to the selection of appropriate supporting tools.
  • Cloud Security Review – Sense of Security can assist in navigating the cloud security environment. We can assess your cloud provider for key security elements such as data segmentation, regulatory practices and compliance. We can customise these queries to accommodate known issues based on a wealth of security experience, and tailor this to include your organisation’s specific requirements or compliance commitments. SOS can assess the maturity of your in-place cloud solution to ensure that your cloud provider is performing in line with your expectations.

To discuss how our specialist services can help your organisation please contact us on 1300 922 923 or complete the enquiry form by pressing the button below.

Contact Us