APRA's new cyber security for
financial institutions

APRA Prudential Standard CPS 234 Information Security

APRA’s new mandatory regulation Cross-industry Prudential Standard (CPS 234), was mandated from 1 July 2019. This regulation specifies new cyber security requirements for APRA regulated entities and brings to the forefront the importance of strong cyber security in the information age.

Making Plans to Comply with CPS 234?

Every APRA-regulated organisation must classify its information assets according to their privacy, sensitivity and criticality. Each organisation should consider the real/financial and non-financial effects of each breach type based on respective particular information assets, on all stakeholders, staff, clients and individuals.

“A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.” APRA Prudential Standard CPS 234

The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.

CPS234 is applicable only for APRA-regulated companies including authorised deposit-taking institutions (ADIs), such as banks, general insurers, life companies, private health insurers, or registrable superannuation entity licencees. As of 1 July, 2020 ( important: APRA announced a new CPS 234 effective date due to covid-19, see more here) the compliance with CPS234 will also require third-party suppliers to these APRA-regulated businesses – such as service providers, vendors, and channel partners.

How Can We Help?

Cybersecurity requirements and regulations are frequently criticized as being box-ticking exercises. However, CPS234 is a functionality and principle-based regulation. As a result, it leaves an empty gap for companies to decide for themselves.

We can help your organisation meet the CPS234 assessment and compliance obligations. Engage us to:

Undertake gap analysis of your existing security controls and security strategy, policy, and procedure against the standard
Undertake/manage/assist in the resulted remediation project
Identify and classify your Data Asset
Undertake/manage/assist Penetration security assessment
Review your existing internal audit capability
Develop and execute a user security awareness program
Ongoing adherence to your new security policies (operation + culture)
Our Integrated Risk and Compliance Solution offers everything you may need to automate your compliance to CPS234

CPS234 for superannuation and
Responsible Entities (REs)

What is CPS 234?

CPS 234 is APRA’s mandatory security regulation. It requires APRA-regulated entities to update and maintain their information security capabilities online by increasing the size and extent of the cyber threats. see the full requirement of CPS234

Key capabilities for information security include:

The company’s overall information security strategy, policies and procedures must be aligned with CPS 234
The company’s data governance policy should be well defined, communicated and executed with clear security roles and responsibilities as commissioned and supported by the board
The company’s information assets should be clearly identified and classified
Security capability commensurate with the size and extent of threats to information assets should be regularly maintained, tested
Incident Management in place: not only build robust mechanisms to detect and respond to information security incidents but annually review and test response plans

CPS 234 requires APRA-regulated entities to:

Clearly define information-security related roles and responsibilities;
Maintain an information security capability commensurate with the size and extent of threats to their information assets;
Implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls
Promptly notify APRA of material information security incidents

APRA's new cyber security forfinancial institutions