The Ultimate Manual For CPS 234

In the last decade, we’ve experienced tremendous progress due to the internet, information security, and several other advancements that have made lives easier—and better.

Unfortunately, this has also left our information more vulnerable to malicious agents. With newer cybercrime techniques popping up frequently, countries are rushing to introduce various data protection acts and standards to keep their citizens’ data safe and sound.

One such example is the CPS 234. It was created by the Australian Prudential Regulation Authority (APRA) to ensure all companies that fall under its regulations have optimal information security levels.

In this guide, we’ll discuss CPS 234 in more detail to give you a better understanding of how it works and what you need to do to ensure compliance.

What Is CPS 234 Anyway?

CPS 234 is a compulsory information security regulation issued by the APRA that took effect on July 1, 2019. Under this regulation, organizations in the financial and insurance sectors must take the necessary measures to improve and strengthen their information security framework to protect themselves and their customers from cyberattacks.

The APRA is a statutory authority that the Australian government established in 1998. Although it’s accountable to the Australian Parliament, it acts independently to supervise institutions operating in the insurance, banking, and superannuation sectors.

The primary purpose of the APRA is to keep the financial system stable and assure communities that promises are being kept concerning the safety of their banked money, insurers satisfying claims, and the efficient management of super funds.

It created the CPS 234 regulation to minimize the likelihood and impact of information security (IS) incidents on information assets, including ones managed by third parties or other related parties.

How CPS 234 Works

Cyberattacks are increasing in terms of impact, frequency, and sophistication, with bad agents continuously refining their efforts to gain unauthorized access to networks, systems, and critical information.

CPS 234 is designed to ensure APRA-regulated entities remain resilient to cyberattacks and other security threats. It also intends for these businesses to respond in a timely manner in case of data breaches or other security incidents.

Financial institutions, in particular, are always on the radar of malicious hackers because they hold personally identifiable information (PII) and protected health information (PHI) of Australian citizens. The fact that banks and insurance companies often use third-party tools and services to improve customer experience also puts them at risk of security exposure.

Because of these circumstances, stakeholders (senior management, board of directors, customers, shareholders, and regulators) have made the safeguarding of information assets more stringent.

CPS 234 aims to reduce cyber risk and simultaneously boost cybersecurity by making it mandatory for APRA-regulated entities to maintain information security systems and practices to keep any threat at bay. They’re also required to apply vendor risk management best practices to reduce the likelihood and impact of third-party incidents.

CPS 234 Objectives and Goals

Here are the main requirements and goals of CPS 234:

To ensure regulated entities take the necessary precautions to respond to cybersecurity incidents on time.
To reduce the likelihood and impact of information security incidents.
To clearly define information security roles and responsibilities for the board, executive management, company employees and workers, and governing bodies.
To determine and document information security functions and policy frameworks.
To ensure regulated entities have appropriate mechanisms for detecting and responding to security incidents on time.
To safeguard data assets and implement controls based on system testing and validation.
To make it necessary for regulated entities to notify APRA in case of any significant information security incident within 24 hours.

Keeping the above factors in mind, CPS 234 intends to strengthen six key areas of information security, namely:

Information Asset Identification and Classification. Information assets should be classified based on the importance (according to the impact of availability loss) and confidentiality (according to the impact of confidentiality and integrity loss).
Cyber Security Frameworks, Accountability, and Reporting. It’s crucial to have a formal framework for security, controls the establishment, and information security roles assignment for the boards, management, governing bodies, and individuals.
Systematic Security Assurances. This involves continually testing systems to make sure security measures are appropriate and effective considering the highly dynamic threat landscape.
Security Incidents Response. A formal incident response plan must be formulated to ensure adequate response and mitigation of all incidents and timely notification of significant incidents to the APRA.
Third-Party Compliance. This involves ensuring information security standards are maintained by third parties that process organizational data.
Internal Audits. APRA-regulated entities must conduct period internal audits to ensure the effectiveness of information security controls.

Understanding the Primary Requirements for CPS 234 Compliance

CPS 234 mainly discusses how the governing body expects covered organizations to improve and strengthen their security programs. Let’s take a look at how APRA expects regulated organizations to secure data.

Roles and Responsibilities

CPS 234 requires robust governance by an entity’s Board of Directors. Organizations must assign cybersecurity responsibilities across all leadership and departments, including:

Assurance by Board of Directors to maintain an appropriate risk-based information security program
Defining information security-related roles and responsibilities across Board of Directors, senior management, governing bodies, and other stakeholders

Information Security Capability

This requirement focuses on governance capabilities and documentation, such as:

Creating a risk-based capability for uninterrupted business operations
Building a third-party risk management process
Monitoring its information security capability to handle new vulnerability and threat risks

APRA-regulated entities should remain resilient by ensuring they understand all risks to their data. In a footnote, APRA specifically points out:

“For the avoidance of doubt, paragraph 16 of this Prudential Standard applies to all information assets managed by related parties and third parties, not only those captured under agreements with service providers of outsourced material business activities.”

In other words, regulated entities will have to create a detailed list of all third parties they share customer information or do business with.

Policy Framework

APRA-regulated entities have to maintain an information security policy framework, which includes:

Giving direction for responsible parties
Responsible parties include the Board of Directors, senior management, governing bodies, staff, contractors, consultants, third parties, customers, and related parties.

Information Asset Identification and Classification

Under CPS 234, entities should know about all the sensitive data they collect, store, and transmit, such as:

Data classification based on criticality and sensitivity
Data identification by related parties and third parties
Data classification after taking into account a security incident’s potential financial and non-financial impact on the interests of covered entities, depositors, policyholders, beneficiaries, and other customers.

Implementation of Controls

APRA-covered entities should enforce security controls for all data, including information managed by related parties and third parties. These controls must be risk-based too and implemented after taking the following into account:

Data vulnerabilities and threats
Data criticality and sensitivity
Data life-cycle stage
Related parties’ and third parties’ ability to secure data
Potential consequences of an incident

This section also has a footnote that indicates related parties and third parties aren’t confined to agreements and outsourced activities.

Incident Management

Data protection must also consider how the regulated entity responds to events, like:

Detecting and responding to incidents
Its response plans, including likely threat scenarios
Mechanisms for all relevant stages from detection to post-incident review
Handling escalating and reporting incidents as part of proving governance
Annual program testing and review

Testing Control Effectiveness

This section is perhaps the most detailed out of all the CPS 234 subsections. Here, covered entities must consider the following:

Threat risk changes
Potential risks from environments the entity doesn’t control
Data criticality and sensitivity
Security incident consequences
Data change materiality and frequency

Additionally, entities should also:

Review related party and third party testing frequency and robustness
Check whether independent specialists have the necessary skills
Review testing program adequacy every year (at the very minimum) or when a material change to the business environment or information assets occurs
Escalate and report control deficiencies to the Board and senior management

Internal Audit

All covered entities have to conduct an independent audit to prove governance. The requirements here include:

Reviewing security control design and operating effectiveness
Reviewing information security control assurance and information security incident documentation of related parties and third parties
Checking whether audit personnel have the relevant skills

APRA Notification

APRA’s CPS 234 also has a section regarding incident notification. This covers:

Notifying within 72 hours of discovering the incident for any event that:
- Can financially or non-financially materially impact entity, depositors, policyholders, beneficiaries, or other customers
- Other regulators–in Australia or elsewhere–have already been notified about
Notifying APRA within 10 days of finding a material control weakness that can’t be amended promptly

How to Get Started With CPS 234

To comply with CPS 234, you can undertake the following steps:

Step 1: Find and Address Compliance Gaps

You must self-assess all your processes regularly to understand how well you comply with CPS 234. Make a note of all the compliance gaps you find.

Step 2: Identify Opportunities to Improve

If you find your organization is in compliance, congratulations! However, your job isn’t done yet.

Assess your cybersecurity strategy and framework to find opportunities to improve. This will help enhance your readiness and compliance status while strengthening your data security and privacy.

Step 3: Cut Down Compliance Cost and Complexity

APRA-regulated entities have to show compliance with several other cybersecurity standards and frameworks in addition to CPS 234.

Think about it: What will happen when you need a single set of cybersecurity controls to meet compliance requirements for multiple regulatory standards? Or even worse, when those standards change?

Precisely why it’s essential to simplify cybersecurity compliance to reduce complexity.

Step 4: Examine Third-Party Cybersecurity Capabilities

Covered entities should examine and assess all their third parties’ cybersecurity capabilities. They must have a framework in place to quickly understand the risks associated with third-party arrangements and verify the latter has capabilities commensurate with the security threats they face.

Step 5: Measure Improvements Regularly

The Board of Directors, executive management, and security teams of all regulated entities should make sure the investments they make in their cybersecurity capabilities are worth it.

To do this, they’ll have to continuously review and deploy solutions to measure performance. Try to get genuine insights into the health of your organization’s cybersecurity framework.