Here’s everything you need to know about the new prudential standard in Australia.
What does the CPS 234 regulation mean?
Cybersecurity attacks are becoming increasingly frequent, and more sophisticated. It goes without saying that cyber-attacks can wreak havoc on the targeted entity and have an extremely negative impact on its customers. This is precisely why APRA has implemented the new prudential standard.
The standard is aimed at helping all APRA-regulated entities improve their resilience to potential information security incidents (including cyber-attacks), as well as effectively respond to such incidents if they happen to occur.
The primary purpose of CPS 234 is to reduce the risk of information security incidents by minimising information security vulnerabilities, as well as lessen the impact of such incidents on the affected entity’s integrity and confidentiality of information assets. This also includes third-party information assets.
Information assets refer to all information and IT that an entity manages, including data, software, and hardware.
CPS 234 requires all entities regulated by APRA to:
1. Define all the roles and responsibilities of the Board, senior management, governing bodies, and individuals responsible for various information security functions, such as oversight, approval, and decision making;
2. Maintain their information security capability that is proportionate to their organisation’s size, scale, and the extent to the potential cybersecurity threats to their information assets, and which enables the organisation to continue operating smoothly;
3. Identify and classify their information assets by sensitivity and criticality for the purpose of determining the potential information security incident’s impact on the organisation and interests of its customers and beneficiaries;
4. Implement information security controls to effectively protect their information assets, and regularly conduct systematic testing and assurance to ensure the full effectiveness of those controls;
5. Notify APRA of any and every material information security incident in a regulated time frame, as well as notify it of any potential information security control vulnerabilities.
Here’s a more detailed explanation for each of the requirements.
1. Defining roles and responsibilities
APRA states that all the entities it regulates (every entity’s Board of directors, senior managers, and the governing bodies and individuals at the positions related to information security functions) must know exactly what roles and responsibilities they have regarding the management of information security risks.
They need to be absolutely clear about how they are managing those risks and help all the responsible parties perform their necessary duties.
2. Maintaining information security capability
This provision of the CPS 234 regulation is related to the obligation to design an information security policy framework, which is essentially a threat-based defence model. It will help the APRA-regulated entities provide clear direction regarding the roles and responsibilities of all relevant parties that need to maintain information security capability.
This means that the entities must determine the information security capability that corresponds to an entity’s size and scale, as well as the extent to which a potential information security incident would affect its information assets.
This includes both the information assets managed by the entity and the assets managed by related parties or third parties. The latter requires an APRA-regulated entity to assess the information security capability of the third party in question, as well as determine the impact that a potential information security incident would have on the third-party assets.
This provision also tackles the maintenance part of information security capability. Every APRA-regulated institution must actively maintain this capability, taking into account changes in cybersecurity threats and vulnerabilities.
They also must take into account any changes to their information assets, or their business environment, so that they can properly adjust their threat-based defence model whenever necessary
3. Identifying and classifying information assets
- · names,
- · date of birth,
- · addresses,
- · phone numbers
- · credit card numbers
- · usernames/passwords
- · geolocation
- · medical records.
4. Implementing and testing information security controls
Furthermore, every entity must take proper tests on a regular basis to evaluate the effectiveness of all its information security controls. Changes to assets and business environments may happen, and new security vulnerabilities and threats constantly arise, so the security controls must be properly maintained.
Every entity must review and test all its information security controls and response plans at least on an annual basis, and conduct internal audits to make sure that all the information security controls (including those maintained by third parties) operate smoothly and effectively. They also must review and test the controls whenever there’s a change in the assets or business environment.
5. Notifying APRA
The new prudential standard CPS 234 includes a provision stating that all APRA-regulated institutions must notify APRA of any material information security incident in a timely manner.
This refers to incidents that both financially and non-financially affect the entity in question, or the interests of its beneficiaries, policyholders, depositors, and other customers.
Therefore, as soon as an entity detects any kind of material data breach, they must notify APRA. This provision states that they must do so within 72 hours of becoming aware of the breach.
In case an entity detects a vulnerability regarding a material information security incident, which they cannot remediate on their own, they must notify APRA within the time frame of 10 business days after becoming aware of the vulnerability.
What should I do?
Is your institution an APRA-regulated entity? If you are affected by CPS 234, and you don’t want to risk penalties for not complying, make sure you are already doing everything you can to align your business with the new regulations and meet all the necessary requirements.
Take the time to thoroughly explore all the aforementioned requirements of the CPS 234 standard, and devise all the necessary plans for fully protecting all your information assets, including the plans for remedying any potential information security incident.
SECMON1 are specialists in solving the CPS234 challenges. If you require assistance understanding your organisations CPS234 compliance requirements, or have any questions please contact us for advice
Contact the Author
Director | SECMON1
PH 0428 183 095
The Rialto, 525 Collins St. Melbourne
Take control of information in your organisation.
Act now before the data breach storm reaches you. Contact us today.