The Clock is Ticking on CPS 234

With the deadline for APRA regulated businesses to ensure their compliance with the CPS 234 security standard, the clock is ticking for many organisations. InfoTrust Senior Security Consultant, Indra Gunawan, takes a look at the origins of the standard, what it means for APRA regulated entities and the requirements for businesses.

What is the CPS 234 Standard?

In July last year (2019), as a direct response to the changing cyber landscape, a new prudential standard was implemented for all Australian Prudential Regulatory Authority (APRA) regulated entities. It was introduced as a measure to improve the overall security capability of the entire industry, making businesses more resilient against security incidents. It’s no surprise such a measure was introduced, you only have to read the news to know that security breaches will happen, and businesses need to be prepared. As cybercriminals use increasingly sophisticated tools and techniques, cybersecurity should do the same, constantly evolving to protect information security.

CPS 234 is a mandatory regulation that requires organisations to significantly raise their information security capabilities in line with the size and extent of the threats to their assets. All APRA regulated businesses must ensure compliance with the security standard by 1 July 2020. The primary objective is to minimise the chance and scale of a security incident on the confidentiality, integrity, or availability of information assets, and that includes assets managed by third parties. The introduction of the regulation highlights yet again the importance of strong cybersecurity in the digital age.

How Does it Affect APRA Regulated Businesses?

APRA has recognised that the boards of its regulated entities need to improve their understanding of cyber risk. As such, under the CPS 234 standard, the board of APRA-regulated businesses is responsible for ensuring that the organisation maintains its information security by:

  • Defining roles and responsibilities – clearly defining all security-related roles including within the board, senior management, government bodies, and individuals, ensuring the right people are shouldering responsibility.
  • Policy framework – your organisation must maintain an information security policy that is proportionate to your business’ exposure to vulnerabilities and threats. This policy should also communicate the defined roles and responsibilities as covered in the first point.
  • Classifying information assets – assets should be classified according to their criticality and sensitivity, considering how different groups would be affected should a breach occur.
  • Assessing the information security capability of your organisation and your third parties – your organisation’s security capabilities should be appropriate in relation to the size and extent of threats to your company assets. Where information assets are managed by third parties, it is your responsibility to determine their information security capabilities too.
  • Implementing controls – protecting information assets, including those managed by third parties, with measures that are suitable for the critical nature and sensitivity of those assets.
  • Undertaking testing – ensuring controls remain to be effective on a systematic basis. Tests should be conducted at a minimum annually or when there is a material change to information assets or the business environment.
  • Preparing an incident response plan – ensuring your business is able to robustly respond to security threats when they happen, including reporting and evaluating information to the board.
  • Internal audit – the design and operating effectiveness of any information security controls must be reviewed to ensure their effectiveness (this includes any maintained by third parties). You must also ensure the person undertaking the audit is appropriately skilled to provide assurance of these controls.
  • Notifying APRA of security incidents – promptly informing APRA within 72 hours of any cybersecurity incidents and within 10 days after becoming aware of any material information security weaknesses that can’t be resolved. 

The Time to Check Your Compliance is Now

The clock is ticking with 1 July fast approaching; check your compliance to the compulsory regulation and ensure your business is capable of standing up to cyber threats. While protecting your company’s digital assets can seem like a battle, with a prudent and proactive approach, it is one that can be won. InfoTrust can help you to navigate your way to compliance by outlining the actions you need to take to build a sound security capability within your organisation.

To find out more about how your business stacks up against the CPS 234 standard, request a complimentary two-hour assessment with us today by clicking here.

see our

Related resources