What is APRA CPS 234 and how do you comply?

By

 

Introduction:

As cyber-attacks evolve in sophistication, regulations to secure information assets must also evolve. The financial sector is one of the more prominent targets for cyber-attacks. The key driver for this is due to the increasing usage of technology by the financial sector to improve customer service and operational efficiency. Thus, regulatory bodies must put into place heightened regulations and expectations for the affective safeguarding of information assets.

 

What is APRA?

Established by the Australian Government in 1998 following the recommendations of the Wallis Inquiry into the Australian financial sector and system, the Australian Prudential Regulation Authority (APRA) is an independent statutory authority which supervises institutions across the financial sector (including banking, insurance, and superannuation).

Prudential regulations concern the safety and security of financial institutions in order for the community to maintain confidence that they will meet their financial commitments under reasonable circumstances.

Under APRA’s legislation, the regulatory body is tasked with protecting the interests of depositors, policyholders, and superannuation fund members.

The ultimate purpose of the Australian Prudential Regulation Authority is to ensure the financial interests of Australians are protected and the financial system is stable, competitive and efficient.

APRA’s values:

  • Integrity – we act without bias, are balanced in the use of our powers, and deliver on our commitments
  • Collaboration – we actively seek out and encourage diverse points of view, to produce well-founded decisions
  • Accountability – we are open to challenge and scrutiny, and take responsibility for our actions
  • Respect – we are always respectful of others, and their opinions and ideas
  • Excellence – we maintain high standards of quality and professionalism in all that we do

 

What is CPS 234? Why is it important?

APRA designed the CPS 234 Standard to ensure APRA-regulated entities are protected against cyber-attacks, threats, and risks. As an essential cybersecurity framework for Australian businesses, it also compels APRA-regulated entities to respond in a timely manner (within 72 hours) should notifiable data breaches or other incidents occur.

Financial institutions are disproportionately targeted by adversaries due to the confidential data on their networks, such as personally identifiable information and protected health information that could lead to the possibility of financial rewards. An accelerant to the increase in attacks is the increasing dependability on technology and third-party vendors by superannuation, banking, and insurance institutions.

The aim of CPS 234 is to reduce cyber risk and improve security by requiring APRA-regulated entities to; employ vendor risk management practices to reduce the likelihood and impact of incidents; maintain security capabilities that are commensurate with their information security threats and risks; and notify APRA of cyber security incidents within 72 hours.

Information Security Capability

CPS 234 requires APRA-regulated entities to:

  • Maintain an information security capability commensurate with the size and extent of threats to its information assets, which supports the continued sound operation of the entity
  • Assess the information security capabilities of related or third parties who manage information assets on behalf of the entity, commensurate with the potential consequences of an information security incident that could affect those assets
  • Actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or business environment

To comply with this regulation, entities should assess the sufficiency of their information security capability. This includes reviewing; funding and staffing; timely access to required skill sets; and the overall breadth of the control environment (preventative, detective, and responsive).

Due to the current threat landscape, it’s important that regulated entities go beyond general security controls to more aggressive forms of information security capabilities.

These could include:

  • Vulnerability and threat management/mitigation
  • Situational awareness and intelligence
  • Information security operations and administration
  • Secure design, architecture, and consultation
  • Security testing (e.g., penetration testing)
  • Security reporting and analytics
  • Incident detection and response (including recovery, notifications, and communications)
  • Security investigations (including preserving evidence and forensic analyses)
  • Information security assurances

Conclusively, under the CPS 234 standard, regulated entities must keep on top of changes in vulnerabilities/threats. This means adopting a forward-thinking approach in which entities continue to invest in resources, skills, and controls relevant to their institution and information assets and security.

 

What are the key requirements?

  1. Information security capabilityconsider the adequacy and sufficiency of the entity’s information security capabilities in relation to vulnerabilities and threats, ensure adequate investment to support information security capability, and review the progress of the execution of the information security strategy
  2. Policy frameworkinformation security policies should reflect Board expectations
  3. Information assets identification and classification
  4. Implementation of information security controls regularly assess and evaluate reporting of the effectiveness of implemented information security controls and the overall health and security of the entity’s information assets
  5. Incident management
  6. Testing control effectiveness – regularly seek assurance on the sufficiency of testing coverage across security controls and assess the effectiveness of information security controls based on the results of regular testing
  7. Internal audit
  8. APRA notification

 

Who does CPS 234 apply to?

All entities regulated by APRA are required to adhere to and comply with CPS 234 requirements.

APRA-regulated entities include:

  • Banks
  • Credit unions
  • Deposit taking institutions (ADIs)
  • Superannuation funds
  • Life insurance companies
  • Friendly societies
  • General insurers
  • Non-operating holding companies
  • Private health insurers

Foreign Entities

CPS 234 also applies to specific foreign entities, including:

  • Foreign ADIs
  • Foreign general insurers
  • Foreign life insurance companies

Compliance to CPS 234 only applies to the Australian branch of the aforementioned foreign entities, however if the Australian branch’s technology and information assets are handled and supported by the head office of the entity, the head office must provide evidence of compliance.

Third-party

As of July 2020, third parties handling the assets of APRA-regulated entities will also need to comply with the standards outlined in CPS 234 and prove compliance to the security controls when requested.

Who is responsible for compliance?

Ultimately, the Board is responsible for CPS 234 compliance, and must ensure the entity’s information security is maintained and managed based on the size and the threats to information assets.

However, the Board can delegate responsibilities to sub-committees, management committees and other individuals within the institution. The most important thing is to clearly define the information security roles and provide direction on the responsibilities of all parties who have an obligation to maintain information security.

 

What’s the difference between APRA CPS 234 and ISO 27001?

If you’re seeking to meet APRA CPS 234’s key requirements, you might consider achieving ISO 27001 at the same time.

The key difference between ISO 27001 and CPS 234 is the way they are regulated and enforced. ISO 27001 is an official certification that can be renewed every three years, and requires a series of internal and external audits, whereas CPS 234 does not have official certification or accreditation. The Australia Prudential Regulatory Authority has a number of formal and non-formal enforcement tools at their disposal, which includes working in co-operation with APRA-regulated entities to identify and rectify cyber and information security issues.

While APRA CPS 234 provides guidance for safeguarding information assets it does not seek to be all-encompassing. APRA expects that regulated entities will implement appropriate information security controls informed by contemporary sound industry practices, including in areas not explicitly addressed by the standard. Additionally, CPS 234 is not intended to replace or endorse existing industry standards and guidelines. A regulated entity would typically use discretion in adopting industry standards and guidance it considers fit-for-purpose in specific control areas.

ISO 27001 certification can facilitate the implementation of the requirements outlined in APRA CPS 234. Recognised globally, ISO 27001 offers the ultimate security and protection for your information assets. Achieving certification can also set you apart from other regulated entities, as it proves your organisation is dedicated to the development, improvement and protection of your sensitive data and information.

 

How to get started:

eStorm Australia has extensive experience with helping businesses in the financial sector achieve both ISO 27001 certification and compliance to the standards of APRA CPS 234. View our ISO 27001 services for more information: https://www.estorm.com.au/it-support-services/iso-27001-services-consulting/

Or contact at our friendly staff at:
Phone: 07 3120 0640
Email: [email protected]