APRA CPS 234 / CPS 232
What is APRA CPS 234?
The Australian Prudential Regulation Authority (APRA) CPS 234 is a prudential standard that applies to all ‘APRA-regulated entities’.
“APRA’s CPS 234, aims to ensure that APRA-regulated entities take measures to be resilient against information security incidents by maintaining an information security capability commensurate with information security vulnerabilities and threats.”
What is our methodology and typical time frames that we have seen the project completed for businesses?
Privasec adopts a pragmatic approach when assessing an organisation’s compliance against the Australian Prudential Regulation (APRA) CPS 234, utilising our industry knowledge and experience with this regulatory standard. APRA recognised the threat in the digital environment and implemented the new APRA CPS 234 to ensure that APRA-regulated entities had sufficient information security protections.
At the conclusion of the assessment, Privasec will provide a set of recommendations on how to address any identified gaps against APRA CPS 234. A commentary on the current status of compliance, and any improvement opportunities to uplift and strengthen existing controls further will also be provided.
The key steps to achieving the above include, but not limited to:
- Gathering and assessing information available
- Reviewing existing documentation
- Conducting interviews and workshops with relevant stakeholders
- Consolidating our findings
- Delivering the assessment report
- Presenting findings to management (if required)
Depending on the size and maturity of the organisation, and the number of controls present in the environment, this will determine the total effort required to complete the assessment.
Smaller Organisation Setting | Larger & More Complex Organisations |
|---|---|
Up to 2 weeks | 4 or more weeks |
Any interesting / successful case studies or market observations to share?
Market Observation: APRA CPS 234 started on 1 July 2019; by December 2020, the level of compliance was still in its infancy across APRA regulated entities. APRA noted areas of weaknesses included testing programs, control environments and incident response capabilities.
APRA granted more than 100 requests for regulatory relief to entities struggling to meet the 1 January 2021 deadline for CPS 234 relating to third-party services, but “with consistent evidence that many entities are failing to adequately comply with CPS 234”.
APRA introduced a new cyber-security strategy for 2020 to 2024 that seeks to uplift cyber-security standards and heighten accountability where companies fail to meet their legally binding requirements. Although the board’s accountability is a focus of this regulatory standard, APRA has mandated further board and management accountability. Non-compliance may lead to a breach notice that requires a rectification plan, and action to be taken in a timely manner. Failure to do so may result in formal enforcement action.
APRA requests one-off, tripartite independent cyber-security reviews across all its regulated industries from 2021. It requires boards to use an external audit firm to review CPS 234 compliance and report back to both APRA and the board.
FAQs
APRA-regulated entities include:
- Authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised unde r the Banking Act (authorised banking NOHCs);
- General insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs), and parent entities of Level 2 insurance groups;
- Life companies, including friendly societies, eligible foreign life insurance companies (EFLICs) and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs);
- Private health insurers registered under the PHIPS Act; and (e) RSE licensees under the SIS Act in respect of their business operations.
As indicated by the recent update from APRA, formal enforcement action may be taken for non-compliance, and potential breach notice issued for lack of timely action.
ISO 27001 provides a baseline to work from as it is an internationally recognised information security standard. There is a one-to-one mapping of the nine key requirements from APRA CPS 234 to the ISO 27001 information security standard.
Depending on where your gaps are, we will work with you to address the key areas of concern as a priority and devise a plan for any improvement activities required to further uplift the existing controls. Contact us and we will walk through the process with you.
Ready for the assessment?
Contact us to assess your resilience against information security incidents.