CPS 234 is a regulatory guideline issued by the Australian Prudential Regulation Authority (APRA) that addresses the information security management of entities it supervises. It sets out the minimum information security requirements that APRA-regulated entities must meet. It’s a mandatory requirement and provides a framework for managing and protecting personal and other sensitive information.
The regulation was implemented on July 1, 2019, and applies to all APRA-regulated entities, including banks, insurance companies, and superannuation funds. The regulation aims to protect the security and confidentiality of customer information and maintain the financial system’s integrity.
Objectives of CPS 234
The aim of CPS 230 is to guarantee that an APRA-regulated company takes steps to be resilient against information security events (including cyberattacks) by maintaining an information security capacity commensurate with information security vulnerabilities and threats.
One significant goal is to reduce the risk and effect of information security events on the confidentiality, integrity, or availability of information assets, particularly those maintained by related parties or third parties.
The Board of Directors of an APRA-regulated organisation is ultimately responsible for guaranteeing the entity’s information security.
Key Requirements of CPS 234
The Prudential Standard has the following key requirements for an APRA-regulated entity:
- They should clearly describe the information security roles and duties of the Board, governing bodies, senior management, and individuals;
- keep an information security capacity corresponding with the magnitude and scope of risks to its information assets, allowing the business to continue operating in a safe and sound manner;
- develop controls to safeguard its information assets that are proportionate to the sensitivity and criticality of those assets, and conduct systematic testing and verification of the efficacy of such controls;
- Report material information security incidents to APRA..
Hence, CPS 234 is an important guideline to promote information security and internet safety measures amongst Australian businesses to key malicious actors at bay!
Roles and Responsibilities
The Board of Directors of an APRA-regulated entity (Board) is ultimately accountable for the entity’s information security. The Board must ensure that the organisation maintains information security in a way appropriate to the scale and scope of risks to its information assets, allowing the entity to continue operating in a safe and secure manner.
An APRA-regulated organisation should clearly describe the information security-related duties and responsibilities of the Board, governing bodies, senior management, and individuals essential for decision-making, approval, oversight, operations, and other information security tasks.
Information Security Capability
An APRA-regulated entity should maintain an information security capability commensurate with the scale and scope of risks to its information assets and capable of enabling the organization’s ongoing sound operation.
Where information assets are administered by a related party or a third party, the APRA-regulated business must examine that party’s information security capacity in light of the probable repercussions of an information security event impacting those assets.
An APRA-regulated organisation must actively maintain its information security capabilities in light of changes in vulnerabilities and threats, including those caused by changes in information assets or the business environment.
Policy Framework
An APRA-regulated entity must have an information security policy framework that is proportionate to its vulnerability and threat exposures.
The information security policy framework of an APRA-regulated company shall give guidance on the obligations of all parties who have a duty to maintain information security.
Identification and Classification of Information Assets
An APRA-regulated firm should categorise its information assets by criticality and sensitivity, including those controlled by related parties and third parties.
This categorisation should represent the extent to which an information security event impacting an information asset has the potential to damage the entity or the interests of depositors, policyholders, beneficiaries, or other customers, either financially or non-financially.
Implements of Controls
An APRA-regulated entity should have information security controls in place to protect its information assets, including those managed by associated and third parties, that are proportionate to:
(a) the threats and vulnerabilities to the information assets;
(b) the sensitivity and criticality of the information assets;
(c) the stage of the information assets’ life cycle;
(d) the possible consequences of an information security incident.
When an APRA-regulated business’s information assets are handled by a related or a third party, the APRA-regulated entity should examine the design of the respective party’s information security measures to ensure that the APRA-regulated entity’s information assets are protected.
Incident Management
An APRA-regulated company should have effective measures in place to detect and respond to information security events.
An APRA-regulated entity must keep plans in place to respond to information security events that it believes are likely to occur (information security response plans).
The information security response plans of an APRA-regulated firm should contain methods for:
(a) managing all relevant phases of an event, from detection through post-incident review;
(b) Expansion and reporting of information security issues to the Board, other governing bodies, and personnel responsible for information security incident management and supervision, as appropriate.
An APRA-regulated company should assess and test its information security response plans every year to ensure they remain effective and suitable for the purpose.
Testing Effectiveness of Controls
An APRA-regulated firm should use a systematic evaluation process to assess the efficacy of its information security controls. The nature and frequency of systematic testing should be proportionate to:
(a) the rate at which vulnerabilities and threats change;
(b) the criticality and sensitivity of the information asset;
(c) the consequences of an information security incident;
(d) the risks associated with exposure to environments in which the APRA-regulated entity is unable to enforce its information security policies; and (e) the materiality and frequency of change to information assets.
When an APRA-regulated entity’s information assets are managed by a third party or an associated entity, and the APRA-regulated entity relies on its information security control testing, the APRA-regulated entity should assess whether the nature and frequency of control testing in relation to those information assets commensurate with the requirements mentioned in the previous paragraph.
Any testing results that show information security control flaws that cannot be rectified in a timely manner should be escalated and reported to the Board or senior management of an APRA-regulated business.
An APRA-regulated organisation must guarantee that testing is carried out by specialists who are adequately competent and functionally independent.
An APRA-regulated entity must examine the testing program’s sufficiency at least once a year or whenever there is a major change in information assets or the business environment.
Internal Audit
Internal audit operations of an APRA-regulated business must include an evaluation of the design and operation of information security controls, including those maintained by related and third parties (information security control assurance).
An APRA-regulated organisation should guarantee that the information security control assurance is supplied by adequately competent individuals.
The internal audit function of an APRA-regulated entity should analyse the information security control assurance provided by a related party or third party where:
(a) an information security incident affecting the information assets has the potential to materially affect the entity or the interests of the policyholders, depositors, beneficiaries, or other customers, financially or non-financially; and
(b) internal audit intends to rely on information security control assurance.
APRA Notification
An APRA-regulated entity should notify APRA at the earliest and not post 72 hours after becoming aware of an information security incident, which:
(a) either affected, or had the potential to materially affect, the entity, or the interests of depositors, policyholders, beneficiaries, or other customers, financially or non-financially;
(b) has been notified to other regulators, either in Australia or other jurisdictions.
After becoming aware of a substantial information security control deficiency that the entity thinks it will not be able to address in a reasonable timeframe, an APRA-regulated entity shall notify APRA as soon as feasible and, in any event, no later than 10 working days.
Benefits of CPS 234 Standard
- Enhanced security: CPS 234 establishes a comprehensive set of information security standards, ensuring that regulated entities can better protect their sensitive data and information systems.
- Improved risk management: The guidelines provide a framework for managing information security risks, helping entities to address and identify potential threats before they become an actual breach of data incidents.
- Increased customer confidence: Complying with CPS 234 demonstrates to customers and stakeholders that an entity takes information security seriously and has the necessary processes and controls in place to protect its data.
- Compliance with regulatory requirements: Following CPS 234 helps entities to meet their regulatory obligations and avoid potential penalties for non-compliance.
- Improved efficiency and effectiveness: Implementing the guidelines can help entities to streamline their information security processes and improve the overall effectiveness and efficiency of their operations.
How can Anitech help?
Anitech’s experienced ISMS consultants can help you understand and implement CPS 234 for your organisation. Enquire here.
You can also call us at 1300 802 163 or email us at info@anitechgroup.com
Our team will help you!
