What is APRA CPS 234?
APRA CPS 234 June 2024 Deadline
APRA has now released its final deadline for all remaining regulated entities to submit their CPS 234 tripartite assessments, and is calling for all remaining APRA CPS 234 tripartite assessments to be submitted by end of June 2024.
Outlined as part of its 2020-2024 Cyber Security Strategy, the one-off tripartite assessments require regulated entities to engage an independent auditor to report on their compliance against CPS 234 – Information Security.
What is APRA CPS 234?
APRA CPS 234 is a prudential standard that applies to all ‘APRA-regulated entities’. The finalised standard, known as APRA CPS 234, is designed to ensure APRA-monitored organisations are more resilient to cyber-attacks and can respond quickly should a security breach occur.
APRA CPS 234, aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.
APRA-regulated institutions must go beyond simply following the new standards, they must demonstrate compliance with the new CPS 234 standard across all of its services in order to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including those managed by related or third parties.
How does Sekuro approach APRA CPS 234 compliance?
Sekuro adopts a pragmatic approach when assessing an organisation’s compliance against the Australian Prudential Regulation (APRA) CPS 234, utilising our industry knowledge and experience with regulatory standards. APRA recognised the threat in the digital environment and implemented the new APRA CPS 234 to ensure that APRA-regulated entities had sufficient information security protections.
At the conclusion of the assessment, Sekuro will provide a set of recommendations on how to address any identified gaps against APRA CPS 234. A commentary on the current status of compliance, and any improvement opportunities to uplift and strengthen existing controls further will also be provided.
The key steps to achieving the above include, but not limited to:
- Gathering and assessing information available
- Reviewing existing documentation
- Conducting interviews and workshops with relevant stakeholders
- Consolidating our findings
- Delivering the assessment report
- Presenting findings to management (if required)
Depending on the size and maturity of the organisation, and the number of controls present in the environment, this will determine the total effort required to complete the assessment.
Smaller Organisation Setting | Larger & More Complex Organisations |
|---|---|
Up to 2 weeks | 4 or more weeks |
Who is responsible for compliance to APRA CPS 234?
The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.
More Information on APRA CPS 234
APRA CPS 234 started on 1 July 2019; by December 2020, the level of compliance was still in its infancy across APRA regulated entities. APRA noted areas of weaknesses included testing programs, control environments and incident response capabilities.
APRA granted more than 100 requests for regulatory relief to entities struggling to meet the 1 January 2021 deadline for CPS 234 relating to third-party services, but “with consistent evidence that many entities are failing to adequately comply with CPS 234”.
APRA introduced a new cyber-security strategy for 2020 to 2024 that seeks to uplift cyber-security standards and heighten accountability where companies fail to meet their legally binding requirements. Although the board’s accountability is a focus of this regulatory standard, APRA has mandated further board and management accountability. Non-compliance may lead to a breach notice that requires a rectification plan, and action to be taken in a timely manner. Failure to do so may result in formal enforcement action.
APRA requests one-off, tripartite independent cyber-security reviews across all its regulated industries from 2021. It requires boards to use an external audit firm to review CPS 234 compliance and report back to both APRA and the board.
FAQs
APRA-regulated entities include:
- Authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised unde r the Banking Act (authorised banking NOHCs);
- General insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs), and parent entities of Level 2 insurance groups;
- Life companies, including friendly societies, eligible foreign life insurance companies (EFLICs) and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs);
- Private health insurers registered under the PHIPS Act; and (e) RSE licensees under the SIS Act in respect of their business operations.
As indicated by the recent update from APRA, formal enforcement action may be taken for non-compliance, and potential breach notice issued for lack of timely action.
ISO 27001 provides a baseline to work from as it is an internationally recognised information security standard. There is a one-to-one mapping of the nine key requirements from APRA CPS 234 to the ISO 27001 information security standard.
Depending on where your gaps are, we will work with you to address the key areas of concern as a priority and devise a plan for any improvement activities required to further uplift the existing controls. Contact us and we will walk through the process with you.