APRA CPS 234: Are you prepared?
From 1 July 2019, regulated financial entities will be required to comply with strict security rules under a new standard set forth by the Australian Prudential Regulation Authority (APRA).
The Prudential Standard CPS 234 outlines new implementation measures and reporting obligations aimed at minimising the threat of information security incidents, including cyber attacks.
The introduction of CPS 234 is a response to the growing frequency and sophistication of cyber attacks targeting Australian financial entities.
We’ve provided a summary of the standard and what you can do to help your customers prepare. But first…
What’s the big deal?
The introduction of CPS 234 signifies a move towards an ‘assume breach’ mentality that is increasing among various industries.
APRA Executive Board member Geoff Summerhayes said the standard aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold and the significance of the threats they face.
A significant security breach at an APRA-regulated entity is almost certainly a question of when – not if.
CPS 234 is a formal response to the Royal Commission’s report that identified significant failings in the financial sector with regard to their privacy practices.
What are the key changes under CPS 234?
From 1 July 2019, APRA-regulated entities must:
- Define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals.
- Maintain an information security capability commensurate with the size and extent of threats to its information assets.
- Classify its information assets by criticality and sensitivity.
- Implement information security controls to protect its information assets commensurate with:
- Vulnerabilities and threats to the information assets
- The criticality and sensitivity of those information assets
- The stage at which the information assets are within their lifecycle
- The potential consequences of an information security incident.
- Administer mechanisms to detect and respond to information security incidents in a timely manner.
- Review and test information security response plans and controls to ensure they remain effective and fit-for-purpose.
- Notify APRA of information security incidents and information security control weaknesses.
APRA’s view is that all information assets are subject to CPS 234, regardless of who is managing the asset, where they are in the supply chain and whether or not those assets form part of the material business activities.
You can review the complete CPS 234 standard here.
Who does CPS 234 impact?
The Prudential Standard CPS 234 is applicable to banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry.
CPS 234 applies to all APRA-regulated entities from 1 July 2019.
For APRA-regulated entities whose information assets are managed by third parties, CPS 234 applies from 1 July 2020, or from the next renewal date of the contract if that is earlier.
How Arrow can help
As a channel partner, you can engage Arrow for support to develop and augment your capability to position and sell comprehensive cybersecurity solutions to your customers.
Whether it’s starting a security conversation or architecting and implementing a security solution, Arrow can support you in delivering on your customers’ security requirements.
Our enablement services cover:
- Network and security assessments
- Tailored recommendations for best practice
- Solution design that enables innovation on a phase-by-phase basis
- Proof of concept (POCs) and demonstrations
- Technology solutions for data centre, security, cloud and data intelligence
- Implementation and deployment of the solution and policies
- Consultative support across finance, training and business and marketing development.