On July 1, 2019, the new Prudential Standard CPS 234 Information Security came into effect, bringing in tighter regulation around information security for banks, insurance and superannuation companies. If this is your organisation, make sure you read the below to understand the key new requirements for APRA regulated entities and whether there is anything you need to do to comply.
Here’s everything you need to know about the new prudential standard in Australia.
What does the CPS 234 regulation mean?
Cybersecurity attacks are becoming increasingly frequent, and more sophisticated. It goes without saying that cyber-attacks can wreak havoc on the targeted entity and have an extremely negative impact on its customers. This is precisely why APRA has implemented the new prudential standard.
The standard is aimed at helping all APRA-regulated entities improve their resilience to potential information security incidents (including cyber-attacks), as well as effectively respond to such incidents if they happen to occur.
The primary purpose of CPS 234 is to reduce the risk of information security incidents by minimising information security vulnerabilities, as well as lessen the impact of such incidents on the affected entity’s integrity and confidentiality of information assets. This also includes third-party information assets.
Information assets refer to all information and IT that an entity manages, including data, software, and hardware.
CPS 234 requires all entities regulated by APRA to:
1. Define all the roles and responsibilities of the Board, senior management, governing bodies, and individuals responsible for various information security functions, such as oversight, approval, and decision making;
2. Maintain their information security capability that is proportionate to their organisation’s size, scale, and the extent to the potential cybersecurity threats to their information assets, and which enables the organisation to continue operating smoothly;
3. Identify and classify their information assets by sensitivity and criticality for the purpose of determining the potential information security incident’s impact on the organisation and interests of its customers and beneficiaries;
4. Implement information security controls to effectively protect their information assets, and regularly conduct systematic testing and assurance to ensure the full effectiveness of those controls;
5. Notify APRA of any and every material information security incident in a regulated time frame, as well as notify it of any potential information security control vulnerabilities.
Here’s a more detailed explanation for each of the requirements.
1. Defining roles and responsibilities
APRA states that all the entities it regulates (every entity’s Board of directors, senior managers, and the governing bodies and individuals at the positions related to information security functions) must know exactly what roles and responsibilities they have regarding the management of information security risks.
They need to be absolutely clear about how they are managing those risks and help all the responsible parties perform their necessary duties.
2. Maintaining information security capability
This provision of the CPS 234 regulation is related to the obligation to design an information security policy framework, which is essentially a threat-based defence model. It will help the APRA-regulated entities provide clear direction regarding the roles and responsibilities of all relevant parties that need to maintain information security capability.
This means that the entities must determine the information security capability that corresponds to an entity’s size and scale, as well as the extent to which a potential information security incident would affect its information assets.
This includes both the information assets managed by the entity and the assets managed by related parties or third parties. The latter requires an APRA-regulated entity to assess the information security capability of the third party in question, as well as determine the impact that a potential information security incident would have on the third-party assets.
This provision also tackles the maintenance part of information security capability. Every APRA-regulated institution must actively maintain this capability, taking into account changes in cybersecurity threats and vulnerabilities.
They also must take into account any changes to their information assets, or their business environment, so that they can properly adjust their threat-based defence model whenever necessary
3. Identifying and classifying information assets
All APRA-regulated entities must be able to identify and classify their information assets by sensitivity and criticality, which includes both the assets managed by the entities and the assets managed by third parties.
This means that they need to classify the assets depending on the extent to which a potential information security incident would affect those assets.
Moreover, they need to take into account the effect that such an incident would have on the affected entity’s financial and non-financial aspects, as well as the interests of its beneficiaries, depositors, policyholders, and other related customers.
Information assets can include structured such as that found with databases as well as unstructured data such as emails, documents, spreadsheets, PDF files, audio files, images, videos, mobile activity, social media activity.
Within these data sources organisations can hold vast amounts of sensitive data which can include to customer personal, financial and health information such as;
- · names,
- · date of birth,
- · addresses,
- · phone numbers
- · credit card numbers
- · usernames/passwords
- · geolocation
- · medical records.
Safely storing and protecting all of this data means not only protecting an organisation’s finances, stability, integrity, and credibility but also protecting all of its customers.
This is precisely why the new CPS 234 standard requires all entities regulated by APRA to devise proper plans for managing their structured and unstructured data and effectively protecting both in case a security breach takes place.
Effectively managing and protecting this structured and unstructured data is a common challenge faced by most organisations. Many have existing plans and policies in place for dealing with potential information security incidents, but the reality is often policies are not enough. All affected parties should be able to discover, classify, and protect all their sensitive data.
4. Implementing and testing information security controls
This provision ties in with the previous one. In order to protect all of its data and information technology, an entity must have proper information security controls in place. They must have full control over their data to be able to effectively protect it.
All entities must have robust mechanisms in place that will enable them to swiftly detect and respond to any potential cybersecurity incident.
They also must devise and maintain information security response plans, which will include mechanisms for managing all potential incident stages, as well as for reporting the incident to the Board and all the other parties responsible for managing and responding to information security incidents.
To commission information security controls, an entity must take into account the sensibility and criticality of its information assets, as well as all the potential threats and vulnerabilities to those assets. Considering the stages where those assets are in their lifecycle (from planning and design to decommissioning and disposal) is of paramount importance.
The entities also must consider all the consequences that a potential information security incident would bring upon their organisation and all the relevant parties.
If an entity has information assets managed by a third party, it must evaluate that party’s information security controls to ensure they are truly effective.
Therefore, an APRA-regulated entity is required not only to commission proper information security controls but also to make sure that all the relevant parties do the same. This is extremely important, but it was considered as something that was only nice to have until recently. Now, it is an absolute necessity.
Furthermore, every entity must take proper tests on a regular basis to evaluate the effectiveness of all its information security controls. Changes to assets and business environments may happen, and new security vulnerabilities and threats constantly arise, so the security controls must be properly maintained.
Every entity must review and test all its information security controls and response plans at least on an annual basis, and conduct internal audits to make sure that all the information security controls (including those maintained by third parties) operate smoothly and effectively. They also must review and test the controls whenever there’s a change in the assets or business environment.
5. Notifying APRA
The new prudential standard CPS 234 includes a provision stating that all APRA-regulated institutions must notify APRA of any material information security incident in a timely manner.
This refers to incidents that both financially and non-financially affect the entity in question, or the interests of its beneficiaries, policyholders, depositors, and other customers.
Therefore, as soon as an entity detects any kind of material data breach, they must notify APRA. This provision states that they must do so within 72 hours of becoming aware of the breach.
In case an entity detects a vulnerability regarding a material information security incident, which they cannot remediate on their own, they must notify APRA within the time frame of 10 business days after becoming aware of the vulnerability.
What should I do?
Is your institution an APRA-regulated entity? If you are affected by CPS 234, and you don’t want to risk penalties for not complying, make sure you are already doing everything you can to align your business with the new regulations and meet all the necessary requirements.
Take the time to thoroughly explore all the aforementioned requirements of the CPS 234 standard, and devise all the necessary plans for fully protecting all your information assets, including the plans for remedying any potential information security incident.
SECMON1 are specialists in solving the CPS234 challenges. If you require assistance understanding your organisations CPS234 compliance requirements, or have any questions please contact us for advice
Contact the Author
Director | SECMON1
PH 0428 183 095
The Rialto, 525 Collins St. Melbourne
Take control of information in your organisation.
Act now before the data breach storm reaches you. Contact us today.
Abhorrent violent material – What you need to know about the Australian Law
If you or your organisation are an internet service prov ...