In the last decade, we’ve experienced tremendous progress due to the internet, information security, and several other advancements that have made lives easier—and better.
Unfortunately, this has also left our information more vulnerable to malicious agents. With newer cybercrime techniques popping up frequently, countries are rushing to introduce various data protection acts and standards to keep their citizens’ data safe and sound.
One such example is the CPS 234. It was created by the Australian Prudential Regulation Authority (APRA) to ensure all companies that fall under its regulations have optimal information security levels.
In this guide, we’ll discuss CPS 234 in more detail to give you a better understanding of how it works and what you need to do to ensure compliance.
What Is CPS 234 Anyway?
CPS 234 is a compulsory information security regulation issued by the APRA that took effect on July 1, 2019. Under this regulation, organizations in the financial and insurance sectors must take the necessary measures to improve and strengthen their information security framework to protect themselves and their customers from cyberattacks.
The APRA is a statutory authority that the Australian government established in 1998. Although it’s accountable to the Australian Parliament, it acts independently to supervise institutions operating in the insurance, banking, and superannuation sectors.
The primary purpose of the APRA is to keep the financial system stable and assure communities that promises are being kept concerning the safety of their banked money, insurers satisfying claims, and the efficient management of super funds.
It created the CPS 234 regulation to minimize the likelihood and impact of information security (IS) incidents on information assets, including ones managed by third parties or other related parties.
How CPS 234 Works
Cyberattacks are increasing in terms of impact, frequency, and sophistication, with bad agents continuously refining their efforts to gain unauthorized access to networks, systems, and critical information.
CPS 234 is designed to ensure APRA-regulated entities remain resilient to cyberattacks and other security threats. It also intends for these businesses to respond in a timely manner in case of data breaches or other security incidents.
Financial institutions, in particular, are always on the radar of malicious hackers because they hold personally identifiable information (PII) and protected health information (PHI) of Australian citizens. The fact that banks and insurance companies often use third-party tools and services to improve customer experience also puts them at risk of security exposure.
Because of these circumstances, stakeholders (senior management, board of directors, customers, shareholders, and regulators) have made the safeguarding of information assets more stringent.
CPS 234 aims to reduce cyber risk and simultaneously boost cybersecurity by making it mandatory for APRA-regulated entities to maintain information security systems and practices to keep any threat at bay. They’re also required to apply vendor risk management best practices to reduce the likelihood and impact of third-party incidents.
CPS 234 Objectives and Goals
Here are the main requirements and goals of CPS 234:
- To ensure regulated entities take the necessary precautions to respond to cybersecurity incidents on time.
- To reduce the likelihood and impact of information security incidents.
- To clearly define information security roles and responsibilities for the board, executive management, company employees and workers, and governing bodies.
- To determine and document information security functions and policy frameworks.
- To ensure regulated entities have appropriate mechanisms for detecting and responding to security incidents on time.
- To safeguard data assets and implement controls based on system testing and validation.
- To make it necessary for regulated entities to notify APRA in case of any significant information security incident within 24 hours.
Keeping the above factors in mind, CPS 234 intends to strengthen six key areas of information security, namely:
- Information Asset Identification and Classification. Information assets should be classified based on the importance (according to the impact of availability loss) and confidentiality (according to the impact of confidentiality and integrity loss).
- Cyber Security Frameworks, Accountability, and Reporting. It’s crucial to have a formal framework for security, controls the establishment, and information security roles assignment for the boards, management, governing bodies, and individuals.
- Systematic Security Assurances. This involves continually testing systems to make sure security measures are appropriate and effective considering the highly dynamic threat landscape.
- Security Incidents Response. A formal incident response plan must be formulated to ensure adequate response and mitigation of all incidents and timely notification of significant incidents to the APRA.
- Third-Party Compliance. This involves ensuring information security standards are maintained by third parties that process organizational data.
- Internal Audits. APRA-regulated entities must conduct period internal audits to ensure the effectiveness of information security controls.
Understanding the Primary Requirements for CPS 234 Compliance
CPS 234 mainly discusses how the governing body expects covered organizations to improve and strengthen their security programs. Let’s take a look at how APRA expects regulated organizations to secure data.
Roles and Responsibilities
CPS 234 requires robust governance by an entity’s Board of Directors. Organizations must assign cybersecurity responsibilities across all leadership and departments, including:
- Assurance by Board of Directors to maintain an appropriate risk-based information security program
- Defining information security-related roles and responsibilities across Board of Directors, senior management, governing bodies, and other stakeholders
Information Security Capability
This requirement focuses on governance capabilities and documentation, such as:
- Creating a risk-based capability for uninterrupted business operations
- Building a third-party risk management process
- Monitoring its information security capability to handle new vulnerability and threat risks
APRA-regulated entities should remain resilient by ensuring they understand all risks to their data. In a footnote, APRA specifically points out:
“For the avoidance of doubt, paragraph 16 of this Prudential Standard applies to all information assets managed by related parties and third parties, not only those captured under agreements with service providers of outsourced material business activities.”
In other words, regulated entities will have to create a detailed list of all third parties they share customer information or do business with.
APRA-regulated entities have to maintain an information security policy framework, which includes:
- Giving direction for responsible parties
- Responsible parties include the Board of Directors, senior management, governing bodies, staff, contractors, consultants, third parties, customers, and related parties.
Information Asset Identification and Classification
Under CPS 234, entities should know about all the sensitive data they collect, store, and transmit, such as:
- Data classification based on criticality and sensitivity
- Data identification by related parties and third parties
- Data classification after taking into account a security incident’s potential financial and non-financial impact on the interests of covered entities, depositors, policyholders, beneficiaries, and other customers.
Implementation of Controls
APRA-covered entities should enforce security controls for all data, including information managed by related parties and third parties. These controls must be risk-based too and implemented after taking the following into account:
- Data vulnerabilities and threats
- Data criticality and sensitivity
- Data life-cycle stage
- Related parties’ and third parties’ ability to secure data
- Potential consequences of an incident
This section also has a footnote that indicates related parties and third parties aren’t confined to agreements and outsourced activities.
Data protection must also consider how the regulated entity responds to events, like:
- Detecting and responding to incidents
- Its response plans, including likely threat scenarios
- Mechanisms for all relevant stages from detection to post-incident review
- Handling escalating and reporting incidents as part of proving governance
- Annual program testing and review
Testing Control Effectiveness
This section is perhaps the most detailed out of all the CPS 234 subsections. Here, covered entities must consider the following:
- Threat risk changes
- Potential risks from environments the entity doesn’t control
- Data criticality and sensitivity
- Security incident consequences
- Data change materiality and frequency
Additionally, entities should also:
- Review related party and third party testing frequency and robustness
- Check whether independent specialists have the necessary skills
- Review testing program adequacy every year (at the very minimum) or when a material change to the business environment or information assets occurs
- Escalate and report control deficiencies to the Board and senior management
All covered entities have to conduct an independent audit to prove governance. The requirements here include:
- Reviewing security control design and operating effectiveness
- Reviewing information security control assurance and information security incident documentation of related parties and third parties
- Checking whether audit personnel have the relevant skills
APRA’s CPS 234 also has a section regarding incident notification. This covers:
- Notifying within 72 hours of discovering the incident for any event that:
- Can financially or non-financially materially impact entity, depositors, policyholders, beneficiaries, or other customers
- Other regulators–in Australia or elsewhere–have already been notified about
- Notifying APRA within 10 days of finding a material control weakness that can’t be amended promptly
How to Get Started With CPS 234
To comply with CPS 234, you can undertake the following steps:
Step 1: Find and Address Compliance Gaps
You must self-assess all your processes regularly to understand how well you comply with CPS 234. Make a note of all the compliance gaps you find.
Step 2: Identify Opportunities to Improve
If you find your organization is in compliance, congratulations! However, your job isn’t done yet.
Assess your cybersecurity strategy and framework to find opportunities to improve. This will help enhance your readiness and compliance status while strengthening your data security and privacy.
Step 3: Cut Down Compliance Cost and Complexity
APRA-regulated entities have to show compliance with several other cybersecurity standards and frameworks in addition to CPS 234.
Think about it: What will happen when you need a single set of cybersecurity controls to meet compliance requirements for multiple regulatory standards? Or even worse, when those standards change?
Precisely why it’s essential to simplify cybersecurity compliance to reduce complexity.
Step 4: Examine Third-Party Cybersecurity Capabilities
Covered entities should examine and assess all their third parties’ cybersecurity capabilities. They must have a framework in place to quickly understand the risks associated with third-party arrangements and verify the latter has capabilities commensurate with the security threats they face.
Step 5: Measure Improvements Regularly
The Board of Directors, executive management, and security teams of all regulated entities should make sure the investments they make in their cybersecurity capabilities are worth it.
To do this, they’ll have to continuously review and deploy solutions to measure performance. Try to get genuine insights into the health of your organization’s cybersecurity framework.