Assisting you to ensure APRA CPS 234 Compliance

Prudential Standard CPS 234, which outlines the information security requirements that APRA regulated organisations must comply with, is a mandatory regulation issued by APRA to ensure that your organisation’s information assets remain safe and secure from breaches.

In order to increase the rigour of compliance of CPS 234, Boards of regulated entities are required to engage third party independent Auditors to undertake a thorough CPS 234 compliance audit, with the results reported to both the Board and APRA.

APRA has developed a program of tripartite independent information security compliance reviews across all its regulated industries to ensure these audits are being conducted and the entities are complying with the Standard. It has recently begun issuing notifications to regulated financial institutions advising them to start preparing for these reviews.

Who needs to comply with the CPS 234 Standard?

All APRA-regulated entities, which include:

• Authorised deposit-taking institutions (ADIs) including foreign ADIs, and non-operating holding companies authorised under the Banking Act
• General insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs), and parent entities of Level 2 insurance groups
• Life companies, including friendly societies, eligible foreign life insurance companies (EFLICs) and non-operating holding companies registered under the Life Insurance Act
• Private health insurers registered under the PHIPS Act and (e) RSE licensees under the SIS Act.

What does complying with CPS 234 mean for my organisation?

Compliance with the Standard will ensure the following within your organisation:

• Board accountability for information security risks
• Better management and security of information assets
• Information security strategy alignment with the overall business strategy
• Executive level representation at security governance committees
• Effective third-party security compliance management
• Appropriate security controls for the most critical & sensitive information assets
• An effective assessment program for information security controls and incident management, including a periodically tested cyber incident response plan. 

What are the consequences of non-compliance?

As cybercriminals and their programs become more advanced, so too should Australian cybersecurity systems – and CPS 234 ensures that these businesses continue to develop and maintain their online defences. It goes without saying that non-compliant organisations are operating at a much higher risk of being exposed to a cyber security breach, including business interruption, confidential records being compromised or fraud.  Additionally, formal enforcement action may be taken for non-compliance and potential breach notices could be issued by APRA.

How can Centium help your organisation comply?

In order to meet the CPS 234 Standard, your organisation needs to employ an independent Auditor to undertake a thorough audit.

Centium is uniquely qualified to perform the requisite compliance audit and report as per Australian Standard on Assurance Engagements ASAE 3100 Compliance Engagements (ASAE 3100), issued by the Auditing and Assurance Standards Board.

We will:

• Use our professional judgement to assess the risks that may cause material non- compliance with each of the CPS 234 paragraph 13 to 36 requirements
• Consider relevant internal controls when designing our assurance procedures
• Assess design and operating effectiveness of controls to meet CPS 234 compliance
• Ensure that the engagement team possess the appropriate knowledge, skills and professional competencies
• Apply independence in our role to ensure the highest integrity and acceptance of our work.
• Deliver the audit report.

Contact Us

If your organisation needs a helping hand in complying with APRA’s CPS 234 Standard in order to increase your security and better manage your information assets, Centium is more than happy to discuss how we can help you.

For more information, please contact Scott Thomson, Director Cyber & IT on 0412 562 797 or scott.thomson@centium.com.au.

For further information about our service, team and experience, refer to our capability infosheet. If we can assist you, please don't hesitate to get in touch.