APRA CPS 234

Prudential Standard CPS 234 is a regulatory framework established by the Australian Prudential Regulation Authority (APRA) to enhance cybersecurity in the financial services industry.

What is APRA Prudential Standard CPS 234?

Alright, so what exactly is APRA Prudential Standard CPS 234?

APRA, which stands for the Australian Prudential Regulation Authority, created this standard to ensure that APRA-regulated entities take appropriate measures to be resilient against information security incidents, cyber attacks and data breaches.

The standard came into effect on 1st July 2019, where APRA-regulated entities were given a six month transition period to comply.

This standard is all about making sure that companies have the right defences in place to maintain the confidentiality, integrity and availability of information assets.

The goal of this standard is to increase the safety and security of personal data that Australians entrust to their financial institutions.

What are the objectives of APRA Prudential Standard CPS 234?

The key objectives of APRA Prudential Standard CPS 234 are:

  1. To ensure APRA-regulated entities are resilient against information security incidents, including cyber-attacks.
  2. To minimize the likelihood and impact of information security incidents on the confidentiality, integrity, and availability of information assets, including those managed by related parties or third parties.
  3. To maintain an information security capability commensurate with the size and extent of threats to an entity's information assets.
  4. To enable the continued sound operation of APRA-regulated entities in the face of information security threats.
  5. To protect the interests of depositors, policyholders, and other customers by safeguarding their data and ensuring the stability of financial institutions.
  6. To establish clear roles and responsibilities for information security among the Board, senior management, and other relevant individuals within regulated entities.
  7. To ensure the implementation of appropriate controls to protect information assets based on their criticality and sensitivity.
  8. To mandate systematic testing and assurance regarding the effectiveness of information security controls.
  9. To require prompt notification to APRA of material information security incidents.

By setting these objectives, CPS 234 aims to strengthen the overall information security framework of organisations in the financial and insurance sectors, ensuring they are better prepared to face and mitigate cybersecurity risks.

Why is APRA Prudential Standard CPS 234 Important?

Now, you might be wondering, why should we care about this standard?

First off, compliance is mandatory for all ARPA-regulated entities.

So it's a must have, not a nice-to-have.

Well, think of it like this: in today's world, information is gold.

And just like gold, it needs protection.

APRA Prudential Standard CPS 234 is here to make sure that APRA-regulated entities are prepared for any cyber threats that come their way.

Second of all, it's about building trust with Australian citizens around how their personal data is being handled.

Who does APRA Prudential Standard CPS 234 apply to?

So, who needs to pay attention to this standard?

Well, it's not just for anyone.

CPS 234 is specifically for financial institutions which are considered to be APRA-regulated entities.

This includes:

  • Banks
  • Credit unions
  • Building societies
  • General insurance and insurance companies
  • Life insurers

These organizations need to follow the rules set by CPS 234 to ensure they're protecting their data and their customers' information.

Who governs APRA Prudential Standard CPS 234?

Now, let's talk about who keeps an eye on this standard.

Just like a referee in a game, there's an authority that makes sure everyone is playing fair.

In this case, it's APRA itself.

They're the ones who created the standard and ensure that organisations are following it.

APRA is like the guardian of the financial world in Australia.

They make sure that everyone is doing their part to keep things secure and running smoothly.

It's like having a watchful eye that ensures everyone is on the right track.

What are the key requirements of APRA Prudential Standard CPS 234?

Alright, let's get into the nitty-gritty.

What do organisations need to do to comply with CPS 234?

Here are the key requirements:

  • Roles and responsibilities: Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals.
  • Information security capability: Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.
  • Policy framework: Maintain an information security policy framework that is commensurate with your exposures to vulnerabilities and threats and provides direction on the responsibilities of all parties who have an obligation to maintain information security.
  • Information asset identification and classification: Classify your information assets, including those managed by related parties and third parties, by criticality and sensitivity.
  • Implementation of controls: Implement controls to protect your information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls.
  • Incident management: Have robust mechanisms in place to detect and
  • respond to information security incidents in a timely manner, including information security response plans.
  • Testing control effectiveness: Test the effectiveness of your information security
  • controls through a systematic testing program.
  • Internal audit: Have skilled personnel review the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
  • APRA notification: Notify APRA of material information security incidents as soon as possible and no later than 72 hours after becoming aware of the incident.

Another important component of CPS 234 is the importance of managing information security risks with third parties:

  • Entities must assess the security controls of third-party providers managing their information assets.
  • The internal audit function must evaluate the information security control assurance provided by third parties in certain circumstances.

For further information, please refer to the official Prudential Standard CPS 234 documentation for a detailed list of controls and requirements.

GRCMANA is an online community that offers the latest news, insights and resources to help you unlock your career in the world of Governance, Risk and Compliance.
Company
AboutNewsletter
Learn
GRCISO 27001SOC 2
Resources
BlogFramework Glossary
Legal
TermsCookiesPrivacyAffiliates
© 2024 GRCMana