The Australian Prudential Regulation Authority’s (APRA’s) Information Security Prudential Standard (CPS 234) comes into effect on 1 July 2019 – only a few months away! Are you ready?
CPS 234 aims to ensure that all APRA-regulated entities remain resilient against information security incidents, including cyber related attacks. A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information, including information managed by related parties or third parties.
CPS 234 puts the onus on Boards to ensure information security controls remain commensurate with the size and extent of threats. It also puts the onus on internal audit to review the design and operating effectiveness of information security controls.
APRA requires notification of both information security incidents (within 72 hours) and material internal controls weaknesses that may not be addressed in a timely manner (within 10 business days of identification).
|Who does the CPS 234 apply to? |
CPS 234 applies to all APRA-regulated entities including authorised deposit-taking institutions (ADIs), foreign ADIs and non-operating holding companies. It also applies to general insurers, life companies, and private health insurers. This includes non-operating holding companies that are authorised under the Insurance Act or Life Insurance Act.
|When does CPS 234 become effective? |
For APRA regulated entities that manage their own information assets, CPS 234 applies from 1 July 2019.
For APRA-regulated entities whose information assets are managed by third parties, CPS 234 applies from 1 July 2020, or from the next renewal date of the contract if that is earlier.
CPS 234 requires internal audit functions to review the design and operating effectiveness of information security controls. This includes information security controls maintained by related parties and third parties, especially where:
CPS 234 requires that information security controls be tested and assured by appropriately skilled information security personnel. This is where Centium can assist.
Centium has decades of experience in assisting government and non-government entities to review, assure and bolster their information security capabilities. We have direct experience and valuable insights with respect to each of the CPS 234 requirements. We can help you to achieve compliance by 1 July 2019.
For example, we can:
Our team includes specialist practitioners with decades of information and cyber security experience in APRA regulated environments. We can provide expert, practical, fit for purpose capabilities to help you achieve compliance by 1 July 2019.
To discuss how we can help you meet your compliance obligations, email us at firstname.lastname@example.org or call us on 13002378100.