APRA CPS 234 - TIME IS RUNNING OUT!

March 12, 2019

Overview

The Australian Prudential Regulation Authority’s (APRA’s) Information Security Prudential Standard (CPS 234) comes into effect on 1 July 2019 – only a few months away! Are you ready?

CPS 234 aims to ensure that all APRA-regulated entities remain resilient against information security incidents, including cyber related attacks. A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information, including information managed by related parties or third parties.

CPS 234 puts the onus on Boards to ensure information security controls remain commensurate with the size and extent of threats. It also puts the onus on internal audit to review the design and operating effectiveness of information security controls.

APRA requires notification of both information security incidents (within 72 hours) and material internal controls weaknesses that may not be addressed in a timely manner (within 10 business days of identification).

Who does the CPS 234 apply to?

CPS 234 applies to all APRA-regulated entities including authorised deposit-taking institutions (ADIs), foreign ADIs and non-operating holding companies. It also applies to general insurers, life companies, and private health insurers. This includes non-operating holding companies that are authorised under the Insurance Act or Life Insurance Act.

When does CPS 234 become effective?

For APRA regulated entities that manage their own information assets, CPS 234 applies from 1 July 2019.

For APRA-regulated entities whose information assets are managed by third parties, CPS 234 applies from 1 July 2020, or from the next renewal date of the contract if that is earlier.

What you need to do

Clearly define information security-related responsibilities of your board, senior management, governing bodies and individuals;
Maintain information security capability commensurate with the size and extent of threats to your information;
Assess information security capabilities of any third parties that manage your information assets;
Maintain an information security policy framework;
Classify your information in terms of criticality and sensitivity, including those managed by related parties and third parties;
Implement information security controls to protect your information, and undertake systematic testing to assure those controls – even if those controls are operated by third parties;
Have robust mechanisms to detect and respond to information security incidents in a timely manner;
Maintain and test a security incident response plan; and
Notify APRA of material information security incidents.

The role of internal audit

CPS 234 requires internal audit functions to review the design and operating effectiveness of information security controls. This includes information security controls maintained by related parties and third parties, especially where:

an information security incident has the potential to materially affect, financially or non-financially, your entity or the interests of your depositors, policyholders, beneficiaries or other customers; or
internal audit intends to rely on the information security control assurances provided by related parties or third parties;

CPS 234 requires that information security controls be tested and assured by appropriately skilled information security personnel. This is where Centium can assist.

Download the APRA CPS 234 public release here

How can CENTIUM help you?

Centium has decades of experience in assisting government and non-government entities to review, assure and bolster their information security capabilities. We have direct experience and valuable insights with respect to each of the CPS 234 requirements. We can help you to achieve compliance by 1 July 2019.

For example, we can:

Perform a gap analysis against the CPS 234 requirements to ensure you achieve compliance by 1 July 2019.
Enhance your information security capabilities through targeted training and hands-on assistance;
Assess information security capabilities of any third parties that manage your information assets;
Review and enhance your information security policy framework;
Classify your information in terms of criticality and sensitivity, including those managed by related parties and third parties;
Help implement information security controls to protect your information
Undertake systematic testing to assure your information security controls, including those operated by third parties and outsourced service providers;
Review and enhance your security incident response plan;
Test your security incident response plan;
Review your current Business Continuity and ICT (Disaster) Recovery capabilities; and
Supplement inhouse internal audit resources with specialised information security skills.

Download our Service Sheet here

Our expert team:

Our team includes specialist practitioners with decades of information and cyber security experience in APRA regulated environments. We can provide expert, practical, fit for purpose capabilities to help you achieve compliance by 1 July 2019.

To discuss how we can help you meet your compliance obligations, email us at info@centium.com.au or call us on 13002378100.

« Are you VPDSF ready?

NSW CONTAINER DEPOSIT SCHEME: Independent Assurance Reporting is a regulatory requirement »