APRA's CPS 234
CPS 234 is a mandatory information security regulation issued by the Australian Prudential Regulatory Authority (APRA) that took effect on
1, 2019. It requires organizations in the financial and insurance sectors to strengthen their information security framework in order to
themselves and their customers from the growing threat of cyber attacks.
What is APRA?
The Australian Prudential Regulation Authority (APRA) is a statutory authority that was established during 1998 by the Australian Government.
APRA is accountable to the Australian Parliament but acts independently to supervise institutions performing actions related to insurance, superannuation, and banking.
A core purpose of APRA is to provide communities with assurance as to the financial behavior of institutions under all reasonable circumstances.
APRA was given the authority to oversee private health insurers, general and life insurers, superannuation funds, friendly societies,
companies, and institutions authorized to take deposits like building societies, banks, and credit unions.
CPS 234 is an information security law intended to ensure that regulated entities can withstand cyberattacks and other security threats. In addition, when an obvious data breach or other security incident is discovered, businesses must respond in a timely manner.
The frequency, complexity, and impact of cyberattacks continues to increase, and criminals are constantly improving their efforts to disrupt systems, networks and information.
Financial institutions are an attractive target for cyberattacks, and hold personally identifiable information (PII) and protected health information (PHI) of Australian citizens. Banks and insurance companies increasingly use third-party tools and services to improve customer experience, and this increases their security exposure.
CPS 234 aims to reduce risk and improve cybersecurity by requiring entities regulated by APRA to maintain information security systems and practices that are appropriate for the threats they face. It also requires them to use supplier risk management techniques to reduce the likelihood and impact of third party incidents.
Who Needs to Comply with CPS 234?
CPS 234 applies to all legal entities regulated by APRA:
Accredited deposit-taking institutions (ADI)—including foreign and non-business holding companies licensed under Australian banking law
The main goals and requirements of the draft standard are:
To minimize the likelihood and impact of information security incidents.
To ensure that regulated entities take the necessary steps to respond to cybersecurity incidents.
To define information security roles and responsibilities for the board, executive management, individuals within a company, and governing bodies.
To define and document information security functions and policy frameworks.
To protect data assets and implement controls based on system testing and validation.
To ensure regulated entities have appropriate mechanisms for detecting and responding security incidents on time.
To ensure notification of APRA within 24 hours of any significant information security incident.
APRA delegates responsibility over information security to the board of directors. The idea is to enable the continued operation of the entity while ensuring that the board oversees how data assets are maintained and secured.
Organizations covered by CPS 234 should strengthen six key areas of information security:
Cyber security frameworks, accountability and reporting—this involves a formal framework for security, establishing controls, and
information security roles for board, management, governing bodies and individuals.
Identification and classification of information assets—information assets should be classified according to their importance (according to the impact of availability loss) and confidentiality (according to the impact of confidentiality and integrity loss).
Third party compliance—ensuring information security standards are maintained by third parties that process organizational data.
Systematic security assurances—continually testing systems to ensure that security measures are appropriate and effective given the evolving threat landscape.
Respond to security incidents—a formal incident response plan must be in place to ensure adequate response and mitigation for all incidents, with notification of significant incidents APRA.
Internal audits—regulated entities must ensure the effectiveness of information security controls by conducting period internal audits.
General insurance companies—including category C, non-operating holding companies licensed under Australian insurance law, and parent companies of secondary insurers.
Life insurance companies—including membership societies, foreign life insurance companies, and non-operating holding companies registered under the Australian Life Insurance Act
Private health insurance companies registered under the PHIPS Act
Organizations licensed under RSE based on Australian SIS Act
Wherever an organization regulated by APRA manages information via a third party, the CPS234 regulation also applies to that third party.