The Australian Prudential Regulation Authority (APRA) has announced the final deadline for all remaining regulated entities to submit their CPS 234 tripartite assessments and has outlined core enforcement and supervision priorities for the year ahead. This crucial step underscores APRA's commitment to cybersecurity as a fundamental pillar of financial stability. However, while the deadline looms, understanding the context, implications and potential consequences of the requirement is essential.
Implemented in 2019, CPS 234 stands for Prudential Standard CPS 234: Information Security. It mandates specific cybersecurity obligations for APRA-regulated entities like banks, insurers, and superannuation trustees and aims to safeguard sensitive financial data, protect customer information, and ensure operational resilience against cyber threats.
The CPS 234 Tripartite Review is a mandatory audit commissioned by APRA. Conducted by a registered public audit firm, it assesses the effectiveness of an APRA-regulated entity's information security controls against the requirements outlined in Prudential Standard CPS 234: Information Security. The review plays a crucial role in strengthening the cybersecurity posture of the financial sector and mitigating cyber risks and also serves as a preliminary indicator of an entity’s overall cybersecurity maturity and preparedness.
Key Features of the Tripartite Review:
The Tripartite Review serves as a valuable exercise for regulated entities to identify areas for improvement in their cybersecurity practices and demonstrate their commitment to information security best practices.
The Australian Prudential Regulation Authority (APRA) recognises the significant impact of cyber threats on the financial landscape and prioritises cybersecurity through a range of initiatives, including the CPS 234 Tripartite Review. This commitment stems from several key considerations:
The Australian Prudential Regulation Authority (APRA) has set the final deadline of June 30th 2024 for regulated entities to submit CPS 234 tripartite assessments. The submission window spans the next six months, following the completion of the information security assessment program’s initial pilot phase.
Key takeaways for the Pilot Phase
Looking Ahead: The Regulatory Landscape for Operational Resilience
With prudential Standard CPS 230 – Operational Risk Management set to take effect from July 1, 2025, APRA urges entities to proactively ensure compliance. The regulator plans to engage with entities on operational resilience throughout 2024, providing updated guidance, meetings, webinars, and information roundtables. Ultimately, APRA is committed to ensuring regulated entities operate with:
Navigating the intricacies of CPS 234 and successfully completing the tripartite assessment can be daunting. InfoTrust boasts a team of cybersecurity experts with a deep understanding of the standard and its assessment requirements. They can guide you through:
Don't wait until the deadline approaches. Reach out to InfoTrust today and confidently navigate your path to CPS 234 compliance.