APRA CPS 234 / CPS 232
APRA CPS 234 - What is it?
APRA 234 is a prudential standard that applies to all ‘APRA-regulated entities’. The finalised standard, known as APRA CPS 234, is designed to ensure APRA-monitored organisations are more resilient to cyber-attacks and can respond quickly should a security breach occur.
APRA CPS 234, aims to ensure that APRA-regulated entities take measures to be resilient against information security incidents by maintaining an information security capability commensurate with information security vulnerabilities and threats.”
APRA-regulated institutions must go beyond simply following the new standards, they must demonstrate compliance with the new CPS 234 standard across all of its services.
How does Sekuro approach APRA CPS 234 compliance?
Sekuro adopts a pragmatic approach when assessing an organisation’s compliance against the Australian Prudential Regulation (APRA) CPS 234, utilising our industry knowledge and experience with regulatory standards. APRA recognised the threat in the digital environment and implemented the new APRA CPS 234 to ensure that APRA-regulated entities had sufficient information security protections.
At the conclusion of the assessment, Sekuro will provide a set of recommendations on how to address any identified gaps against APRA CPS 234. A commentary on the current status of compliance, and any improvement opportunities to uplift and strengthen existing controls further will also be provided.
The key steps to achieving the above include, but not limited to:
- Gathering and assessing information available
- Reviewing existing documentation
- Conducting interviews and workshops with relevant stakeholders
- Consolidating our findings
- Delivering the assessment report
- Presenting findings to management (if required)
Depending on the size and maturity of the organisation, and the number of controls present in the environment, this will determine the total effort required to complete the assessment.
Smaller Organisation Setting
Larger & More Complex Organisations
Up to 2 weeks
4 or more weeks
More Information on APRA CPS 234
APRA CPS 234 started on 1 July 2019; by December 2020, the level of compliance was still in its infancy across APRA regulated entities. APRA noted areas of weaknesses included testing programs, control environments and incident response capabilities.
APRA granted more than 100 requests for regulatory relief to entities struggling to meet the 1 January 2021 deadline for CPS 234 relating to third-party services, but “with consistent evidence that many entities are failing to adequately comply with CPS 234”.
APRA introduced a new cyber-security strategy for 2020 to 2024 that seeks to uplift cyber-security standards and heighten accountability where companies fail to meet their legally binding requirements. Although the board’s accountability is a focus of this regulatory standard, APRA has mandated further board and management accountability. Non-compliance may lead to a breach notice that requires a rectification plan, and action to be taken in a timely manner. Failure to do so may result in formal enforcement action.
APRA requests one-off, tripartite independent cyber-security reviews across all its regulated industries from 2021. It requires boards to use an external audit firm to review CPS 234 compliance and report back to both APRA and the board.
APRA-regulated entities include:
- Authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised unde r the Banking Act (authorised banking NOHCs);
- General insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs), and parent entities of Level 2 insurance groups;
- Life companies, including friendly societies, eligible foreign life insurance companies (EFLICs) and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs);
- Private health insurers registered under the PHIPS Act; and (e) RSE licensees under the SIS Act in respect of their business operations.
As indicated by the recent update from APRA, formal enforcement action may be taken for non-compliance, and potential breach notice issued for lack of timely action.
ISO 27001 provides a baseline to work from as it is an internationally recognised information security standard. There is a one-to-one mapping of the nine key requirements from APRA CPS 234 to the ISO 27001 information security standard.
Depending on where your gaps are, we will work with you to address the key areas of concern as a priority and devise a plan for any improvement activities required to further uplift the existing controls. Contact us and we will walk through the process with you.