Skip to content

The expert's guide to APRA CPS 234

Group 193 (1)-1

Introducing the expert's guide to APRA CPS 234

The APRA CPS 234 Guide provides authoritative guidance to help organizations implement effective cybersecurity strategies. Written by the Australian Prudential Regulation Authority (APRA), this guide outlines the essential elements of a cyber security framework and outlines best practices for protecting data and systems from cyber threats. It provides detailed guidance on how to assess risk, implement safeguards, and respond to cyber incidents. The guide also includes information on how to develop policies and procedures, educate staff, and monitor cyber security performance. With this guide, organizations can ensure that their systems are secure and their data is protected.

What is CPS 234?

CPS 234 is a regulation issued by the Australian Prudential Regulatory Authority (APRA) that mandates organizations in the financial and insurance sectors to enhance their information security framework to protect themselves and their customers from the escalating threat of cyber attacks.

Mandatory Regulation for Financial and Insurance Sectors

CPS 234 is a mandatory regulation that applies to all organizations operating in the financial and insurance sectors in Australia. The regulation came into effect on July 1, 2019, and organizations were given a transition period of six months to comply with the requirements of the regulation.

Strengthening Information Security Framework

The primary objective of CPS 234 is to strengthen the information security framework of organizations in the financial and insurance sectors. The regulation mandates organizations to have an information security program that is appropriate to their size, complexity, and the nature of their activities.

Tailored Information Security Program

Organizations must tailor their information security program to their specific needs and include policies, processes, and procedures for managing information security risks. The program should be designed to manage risks that are specific to the organization's operations.

Information Security Risk Assessment

CPS 234 requires organizations to have an information security risk assessment process in place to identify, assess, and manage risks. The risk assessment process should be reviewed and updated regularly to ensure that it remains relevant and effective.

Incident Response Plan

Organizations must have an incident response plan to address any security incidents that may arise. The plan should be tested regularly and updated as required to ensure that it remains effective.

Data Protection

CPS 234 requires organizations to have appropriate controls in place to protect their systems and data, including access controls, encryption, and data loss prevention. Organizations must also have a system for monitoring their systems and networks and alerting them to any suspicious activity or potential threats.

Third-Party Vendor Management

Organizations must have a process for assessing the security of third-party vendors (check out our third-party risk management solution) and other external entities that have access to their systems or data. They must ensure that any third-party vendors they use are compliant with CPS 234 and have appropriate security measures in place.

Employee Training

Finally, organizations must have a process for training their staff on information security and ensuring that they follow the policies and procedures put in place by the organization. This includes educating staff on how to identify and report suspicious activity or potential threats.

CPS 234 is an essential step towards strengthening the information security framework of organizations in the financial and insurance sectors. By implementing the requirements of the regulation, organizations can ensure that their systems and data are secure, and their customers' information is kept safe. Compliance with CPS 234 is not only a regulatory requirement, but it is also crucial for building trust with customers and stakeholders, and protecting the organization's reputation.


What is APRA?

The Australian Prudential Regulation Authority (APRA) is a statutory authority that was established by the Australian Government in 1998. It is responsible for supervising institutions that engage in insurance, superannuation, and banking activities in Australia.

Supervision of Financial Institutions

APRA acts independently to supervise institutions that are authorized to take deposits, including building societies, banks, and credit unions. It also oversees private health insurers, general and life insurers, superannuation funds, friendly societies, and reinsurance companies.

The primary aim of APRA is to provide assurance to communities that institutions are behaving financially responsibly under all reasonable circumstances. It seeks to maintain a sound financial system in Australia and ensure that institutions are operating in a way that protects the interests of their customers.

Accountability to the Australian Parliament

While APRA is an independent statutory authority, it is ultimately accountable to the Australian Parliament. This means that it must report to the Parliament on its activities and outcomes and provide information when requested.

In carrying out its supervisory role, APRA uses a risk-based approach to identify and assess risks that could have an impact on the stability of the financial system. It works closely with other regulatory agencies, such as the Australian Securities and Investments Commission (ASIC), to ensure that financial institutions are complying with their regulatory obligations.

Prudential Standards

APRA also develops prudential standards that financial institutions must comply with. These standards set out requirements for how institutions should operate in areas such as risk management, governance, and capital adequacy. Institutions that fail to comply with these standards may be subject to regulatory action, including fines and license revocation.

In addition to setting standards, APRA also provides guidance and support to institutions to help them meet their obligations. It engages with institutions through regular supervisory reviews and meetings and provides feedback on areas where they need to improve.

Importance of APRA

In summary, APRA plays a critical role in maintaining a sound financial system in Australia. It provides assurance to communities that institutions are behaving financially responsibly and ensures that institutions are operating in a way that protects the interests of their customers.

Through its supervisory activities, APRA helps to identify and manage risks that could have an impact on the stability of the financial system. It also sets prudential standards that institutions must comply with and provides guidance and support to help them meet their obligations.

Overall, APRA's work is essential to ensuring that Australia's financial system remains stable and resilient, even in the face of challenges and uncertainties.


Why is the APRA CPS 234 Important?

The Australian Prudential Regulation Authority (APRA) CPS 234 is an important regulation for financial institutions in Australia. It is designed to reduce risk and improve cybersecurity by mandating the adoption of best practices for information security systems and practices.

The CPS 234 is important because it provides a framework for financial institutions to ensure their data and customer information is secure. It requires entities regulated by APRA to maintain information security systems and practices that are appropriate for the threats they face. This includes the implementation of risk management techniques to reduce the likelihood and impact of third-party incidents.

The CPS 234 also requires financial institutions to have a risk management program in place that is designed to identify, assess, and manage cyber risks. This includes the implementation of security controls, such as encryption, firewalls, and access controls, to protect data and systems from unauthorized access. Additionally, the regulation requires financial institutions to have a formal process in place to monitor, detect, and respond to cyber threats.

The CPS 234 also requires financial institutions to have a comprehensive incident response plan in place. This plan should include steps for identifying, responding to, and mitigating the impact of a cyberattack. It should also include procedures for notifying customers and other stakeholders of any data breaches or incidents.

Finally, the CPS 234 requires financial institutions to have a comprehensive supplier risk management program in place. This includes the assessment of third-party suppliers and their security controls, as well as the implementation of appropriate mitigation strategies.

In summary, the APRA CPS 234 is an important regulation for financial institutions in Australia. It is designed to reduce risk and improve cybersecurity by mandating the adoption of best practices for information security systems and practices. By implementing the CPS 234, financial institutions can ensure their data and customer information is secure and reduce the likelihood of a cyberattack.


Who Needs to Comply with CPS 234?

CPS 234 is an important regulation introduced by the Australian Prudential Regulation Authority (APRA) that sets out the requirements for how organizations regulated by APRA need to manage their information in order to protect the data of their customers and ensure the security of the organization’s systems.

Organizations that need to comply with CPS 234 include:

  1. Accredited Deposit-Taking Institutions (ADIs): This includes foreign and non-business holding companies that are licensed under Australian banking law.
  2. General Insurance Companies: This includes category C, non-operating holding companies that are licensed under Australian insurance law, as well as parent companies of secondary insurers.
  3. Life Insurance Companies: This includes membership societies, foreign life insurance companies, and non-operating holding companies that are registered under the Australian Life Insurance Act.
  4. Private Health Insurance Companies: These are companies that are registered under the Private Health Insurance Act.
  5. Organizations Licensed Under: The Superannuation Industry (Supervision) Act 1993 (SIS Act): This includes organizations that are licensed under the SIS Act.

Organizations that are regulated by APRA must ensure that they comply with the CPS 234 regulation in order to protect the data of their customers and ensure the security of their systems. This includes ensuring that their information is managed in a secure manner and that they have appropriate risk management and security controls in place. Organizations must also ensure that any third parties they use to manage their information also comply with the CPS 234 regulation. This includes ensuring that third parties have appropriate risk management and security controls in place and that they are managing the information in a secure manner.

In addition, organizations regulated by APRA must ensure that they are regularly monitoring and assessing the security of their systems and the data they manage. This includes conducting regular vulnerability assessments and penetration tests to identify any potential security risks and weaknesses.

CPS 234 is an important regulation that organizations regulated by APRA must comply with in order to protect the data of their customers and ensure the security of their systems. It is essential that organizations ensure that they are complying with the regulation and that any third parties they use to manage their information are also compliant. Regular monitoring and assessment of the security of their systems is also essential in order to identify any potential security risks and weaknesses.


What are the objectives of CPS 234?

The main objective of the CPS 234 draft standard is to ensure that regulated entities have the necessary information security measures in place to protect data assets and respond to security incidents in a timely manner. The standard aims to minimize the likelihood and impact of information security incidents, as well as to ensure that regulated entities have appropriate mechanisms for detecting and responding to security incidents on time.

The draft standard sets out the roles and responsibilities of the board, executive management, individuals within a company, and governing bodies in relation to information security. It also defines and documents information security functions and policy frameworks. This includes the need for regular system testing and validation to ensure that the necessary controls are in place.

Furthermore, the draft standard outlines the need for regulated entities to notify the Australian Prudential Regulation Authority (APRA) within 24 hours of any significant information security incident. This is to ensure that the necessary steps are taken to respond to the incident in a timely manner.

The draft standard also outlines the need for a risk management framework to be implemented. This includes the need to identify, assess, and manage the risks associated with the use of technology, information systems, and data assets. This is to ensure that the necessary steps are taken to protect the data assets and respond to security incidents in a timely manner.

Finally, the draft standard outlines the need for regulated entities to develop and maintain a robust information security program. This includes the need to regularly review and update policies and procedures, as well as to monitor and report on the effectiveness of the information security program.

In summary, the objectives of CPS 234 are to ensure that regulated entities have the necessary information security measures in place to protect data assets and respond to security incidents in a timely manner. The draft standard outlines the roles and responsibilities of the board, executive management, individuals within a company, and governing bodies, as well as the need for a risk management framework and an information security program. It also outlines the need for regulated entities to notify the Australian Prudential Regulation Authority (APRA) within 24 hours of any significant information security incident.


What are the requirements of CPS 234?

The Australian Prudential Regulation Authority (APRA) released its CPS 234, ‘Information Security’, in July 2018. This document provides a framework for organizations to follow to ensure the security of their information systems and the data they contain. The requirements of CPS 234 are divided into three main areas: governance, risk management, and implementation.

Under the governance requirements, organizations must establish and maintain an information security governance framework. This framework must include:

• A clear organizational structure and chain of responsibility for information security

• A set of policies and procedures to ensure the security of information systems and data

• Regular reviews of the framework and its effectiveness

• A process for responding to security incidents

• A process for monitoring and reporting on the security of information systems and data

The risk management requirements of CPS 234 focus on the identification, assessment, and management of information security risks. Organizations must identify and assess the risks associated with their information systems and data. They must also develop and maintain a risk management plan that outlines how these risks will be managed.

Finally, the implementation requirements of CPS 234 focus on the technical and operational measures organizations must take to protect their information systems and data. These measures include:

• Access control measures to ensure only authorized personnel can access information systems and data

• Encryption of data to protect it from unauthorized access

• Regular patching and updating of software and systems

• Regular backups of data to ensure its availability in the event of an incident

• Monitoring of systems and data to detect suspicious activity

• Regular security testing to identify vulnerabilities

CPS 234 is an important document for organizations that handle sensitive data. It provides a framework for organizations to follow to ensure the security of their information systems and the data they contain. By following the requirements of CPS 234, organizations can ensure that their data is secure and their customers’ information is protected.


The responsibility of the board of an APRA-regulated entity in relation to information security

The board of an APRA-regulated entity has a responsibility to ensure the security of its information assets. This responsibility is essential to the continued sound operation of the entity, as the security of information assets is a key component of protecting the organisation from the risks posed by cyber threats.

The board should ensure that the entity has an appropriate information security policy and procedures in place, and that these are regularly reviewed and updated to reflect changes in the organisation's risk profile. This policy should be comprehensive and cover areas such as access control, data encryption, incident response, and monitoring.

The board should also ensure that the entity has an Information Security Officer (ISO) in place to oversee the implementation of the organisation's security policy and procedures. The ISO should be responsible for developing and maintaining security protocols, conducting security audits, and monitoring the organisation's security posture.

The board should also ensure that the entity has adequate resources to ensure the security of its information assets. This includes appropriate technical resources, such as firewalls, antivirus software, and intrusion detection systems, as well as necessary personnel resources, such as a dedicated IT security team or an external security consultant.

The board should also ensure that the entity has a culture of security awareness. This involves educating employees on the importance of information security and the risks posed by cyber threats. It also involves ensuring that employees are aware of the security policies and procedures in place and that they are following them.

The board should also ensure that the entity has an effective incident response plan in place. This plan should include procedures for detecting, responding to, and recovering from cyber incidents. The plan should also include procedures for reporting incidents to the relevant authorities, such as APRA.

Finally, the board should ensure that the entity has a risk management process in place. This process should involve regularly assessing the organisation's security posture and identifying any potential vulnerabilities. It should also involve developing and implementing appropriate measures to mitigate these risks.

In summary, the board of an APRA-regulated entity has a responsibility to ensure the security of its information assets. This responsibility includes ensuring that the organisation has an appropriate security policy and procedures in place, an Information Security Officer to oversee the implementation of these policies, adequate resources to ensure the security of its information assets, a culture of security awareness, an effective incident response plan, and a risk management process. By ensuring these measures are in place, the board can help to protect the organisation from the risks posed by cyber threats.


Information security capability

Information security capability is the ability of an organization to protect its information assets from malicious attacks, data breaches, and other cyber threats. It is an essential part of any organization’s security posture and is fundamental in ensuring the confidentiality, integrity, and availability of its data and systems.

Organizations must have a comprehensive understanding of their information security capabilities in order to effectively protect their information assets. This includes understanding what information assets they have, what risks they face, and what measures they have in place to mitigate those risks.

Organizations must also have a clear understanding of their responsibilities in relation to the management of their information assets. This includes ensuring that the security controls they have in place are properly implemented and maintained, and that the appropriate personnel are trained and knowledgeable about the security controls.

Organizations must also be aware of the potential for third parties to compromise their information security capabilities. This includes assessing the security capabilities of any third parties that they may be using to manage their information assets. This assessment should include evaluating the third party’s security controls, procedures, and personnel, as well as understanding the potential risks associated with the third party’s use of the organization’s information assets.

Organizations must also ensure that they actively maintain their information security capabilities. This includes monitoring changes in vulnerabilities and threats and responding to those changes in a timely manner. This may involve updating security controls, procedures, and personnel, as well as implementing new security measures such as encryption and multi-factor authentication.

Organizations must also ensure that they have an effective incident response plan in place. This plan should include procedures for responding to data breaches and other cyber incidents, as well as steps for containing and mitigating the impact of those incidents.

Finally, organizations must ensure that their information security capabilities are regularly tested and evaluated. This includes conducting regular security audits and penetration tests, as well as performing regular vulnerability scans. This will help ensure that any weaknesses in the organization’s security posture are identified and addressed in a timely manner.

In summary, information security capability is an essential element of any organization’s security posture. Organizations must have a comprehensive understanding of their information security capabilities, including their responsibilities in relation to the management of their information assets. They must also assess the security capabilities of any third parties they use to manage their information assets and actively maintain their information security capabilities. Finally, they must ensure that their information security capabilities are regularly tested and evaluated.


Information asset identification and classification

Information asset identification and classification are essential components of an effective information security program. Proper identification and classification of information assets ensure that the appropriate security controls are implemented to protect the assets from unauthorized access, use, and disclosure.

Information assets can be broadly classified into two categories: physical and logical. Physical assets include tangible items such as servers, storage devices, and other hardware components, while logical assets include software, data, and other intangible assets. Identifying and classifying both types of assets is important for an information security program.

The first step in the process of information asset identification and classification is to identify the assets that are important to the organization. This includes both physical and logical assets. It is important to consider the value of the asset to the organization and the potential risk associated with its loss or compromise.

Once the assets have been identified, they should be classified according to their criticality and sensitivity. Criticality refers to the degree to which an asset is critical to the organization’s operations, while sensitivity refers to the degree to which an asset contains sensitive or confidential information.

The next step is to assign appropriate security controls to the identified and classified assets. This includes both technical and non-technical controls. Technical controls include measures such as encryption, authentication, and access control. Non-technical controls include measures such as user awareness training, personnel security policies, and physical security measures.

When classifying information assets, it is important to consider the potential impact of a security incident on the organization. This includes both financial and non-financial impacts. Financial impacts may include losses due to data leakage, theft, or destruction of assets. Non-financial impacts may include reputational damage, legal action, or other consequences.

Finally, it is important to monitor and review the information asset classification and security controls on a regular basis. This ensures that the security controls remain up-to-date and effective. It also helps to identify any gaps in the security program and to ensure that any changes to the environment are properly accounted for.

In conclusion, information asset identification and classification are essential components of an effective information security program. Proper identification and classification of assets ensure that the appropriate security controls are implemented to protect the assets from unauthorized access, use, and disclosure. It is also important to consider the potential financial and non-financial impacts of a security incident when classifying information assets. Finally, it is important to monitor and review the information asset classification and security controls on a regular basis.


Implementation of controls for third-party information assets

When it comes to information security, third-party information assets present a unique set of challenges. Third-party assets are often outside of the direct control of the APRA-regulated entity, and as such, require additional security measures to be implemented.

The first step in ensuring adequate security for third-party information assets is to conduct a thorough risk assessment. This assessment should identify any potential vulnerabilities and threats to the information assets, as well as the criticality and sensitivity of the information assets. The risk assessment should also take into account the stage at which the information assets are within their life-cycle, as well as the potential consequences of an information security incident.

Once the risks have been identified, the APRA-regulated entity should implement appropriate security controls to mitigate these risks. These controls should be implemented in a timely manner and should be commensurate with the identified risks. The security controls implemented should include both technical and non-technical measures.

On the technical side, measures such as encryption, firewalls, and data loss prevention (DLP) solutions can be implemented to protect the third-party information assets. On the non-technical side, the APRA-regulated entity should ensure that any third-party vendors or partners are subject to appropriate contractual obligations, such as confidentiality agreements and service-level agreements. The APRA-regulated entity should also ensure that third-party vendors or partners are subject to regular audits and reviews. This will ensure that any security issues are identified and addressed in a timely manner.

💡 You might be interested in our third-party risk management solution.

Additionally, the APRA-regulated entity should have a process in place to monitor the security of the third-party information assets on an ongoing basis. Finally, it is important to note that the implementation of security controls for third-party information assets is an ongoing process. As such, the APRA-regulated entity should ensure that any new third-party vendors or partners are subject to the same security controls as existing vendors or partners and that the security controls are regularly reviewed and updated as needed.

In conclusion, it is clear that the implementation of security controls for third-party information assets is essential for any APRA-regulated entity. By conducting a thorough risk assessment, implementing appropriate security controls, and monitoring the security of the third-party information assets on an ongoing basis, the APRA-regulated entity can ensure that its information assets are adequately protected.


Incident management

Incident management is a critical component of any organization's information security program. An incident management program involves the procedures, processes, and tools used to detect, respond to, and contain the effects of an information security incident. It is vital for organizations to have a well-designed incident management program to ensure the security of their data and systems.

The primary objective of incident management is to minimize the impact of an incident on the organization, including damage to its reputation, data, and systems, as well as disruption to its operations. An effective incident management program empowers the organization to respond rapidly and efficiently to incidents and to contain their effects.

The first step in creating a successful incident management program is to establish an incident response plan. This plan should outline the procedures for detecting, responding to, and containing the effects of an incident, as well as the roles and responsibilities of the stakeholders involved in the incident response process. The plan should also include escalation procedures for reporting incidents to the appropriate governing bodies and individuals responsible for incident management and oversight.

Once the incident response plan is in place, the organization should create an incident management team and assign roles and responsibilities to each team member. The team should consist of individuals from various departments within the organization, such as IT, legal, compliance, and human resources. External stakeholders, such as law enforcement, third-party vendors, and other organizations, should also be included.

Next, the organization should develop and implement policies and procedures for incident detection and response, including the use of tools and technologies to detect and respond to incidents and procedures for logging and monitoring incidents. The organization should also create procedures for reporting incidents to the appropriate governing bodies and individuals responsible for incident management and oversight.

Finally, the organization should implement a post-incident review process. This process should include a review of the incident response process and the effectiveness of the incident management program, as well as a review of the organization's policies and procedures for incident detection and response.

In conclusion, incident management is a crucial aspect of any organization's information security program. An effective incident management program should consist of an incident response plan, an incident management team, and policies and procedures for incident detection and response. It should also include a post-incident review process to ensure the program's efficacy.


Testing control effectiveness

Testing control effectiveness is an essential part of any information security system. It is an integral part of the process of ensuring that the controls put in place to protect an organization’s information assets are working as intended. Testing control effectiveness helps organizations to identify any weaknesses in their existing security controls and to identify any areas that need to be strengthened. This helps to ensure that the organization’s information assets are protected from malicious attacks and other potential threats.

Regular testing of control effectiveness is an important part of the APRA’s CPS 234, which requires organizations to regularly test the effectiveness of their information security controls through a “systematic testing program”. This program should be tailored to the specific needs of the organization and should take into account:

  • The rate of change in vulnerabilities and threats
  • The criticality and sensitivity of the information asset
  • The consequences of an information security incident
  • The risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies
  • The materiality and frequency of change to information assets.

Organizations should consider the following when testing control effectiveness:

  • Identifying the security objectives of the organization: Organizations should identify the security objectives they are trying to achieve and use this to determine the types of tests that need to be conducted.
  • Testing the security controls: Organizations should test the security controls they have implemented to ensure they are working as intended. This may include testing the effectiveness of access controls, authentication mechanisms, encryption mechanisms, and other security controls.
  • Testing the system architecture: Organizations should ensure that their system architecture is secure and that it meets the security objectives of the organization. This may include testing for any weaknesses in the system architecture that could be exploited by attackers.
  • Testing the security processes: Organizations should also test their security processes to ensure they are working as intended. This may include testing the effectiveness of incident response plans, security awareness training programs, and other security processes.
  • Testing the security policies: Organizations should also test the security policies they have in place to ensure they are effective. This may include testing the effectiveness of the policies in preventing unauthorized access to information assets, preventing data leakage, and other security policies.

Testing control effectiveness is an important part of any information security system. It helps organizations to identify any weaknesses in their existing security controls and to identify any areas that need to be strengthened. Regular testing is an essential part of the APRA’s CPS 234, and organizations should ensure they are regularly testing the effectiveness of their information security controls.


When do businesses need to notify APRA?

Businesses need to notify the Australian Prudential Regulation Authority (APRA) of cyber security incidents within 72 hours after they become aware of them. This requirement is set out in the ‘Prudential Standard CPS 234 – Information Security’, which is a set of guidelines developed by APRA to protect the financial system from cyber threats.

The notification requirement applies to any threat that has the potential to materially affect, financially or non-financially, the entity or the interests of its customers. This includes threats that could result in:

  • The loss or theft of customer data
  • The disruption of services
  • The manipulation of data or systems
  • Threats that have been notified to other regulators, either in Australia or other jurisdictions.

When a business becomes aware of a cyber security incident, it must:

  • Assess the impact of the threat
  • Determine whether it needs to be reported to APRA.

If the incident has the potential to cause serious harm to the business, its customers, or the financial system, then it should be reported. Businesses should also consider any other obligations they may have to report the incident to other regulators or authorities.

For example, if the incident involves the loss or theft of customer data, then the business may also be required to notify the Office of the Australian Information Commissioner (OAIC).

In order to ensure that APRA is notified of a cyber security incident in a timely manner, businesses should have a process in place to:

  • Identify and report incidents
  • Monitor and assess the impact of the incident
  • Notify the relevant authorities.

Businesses should also ensure that they have adequate cyber security measures in place to protect their systems and data. This includes measures such as:

  • Encryption
  • Secure access controls
  • Regular security audits.

By following the guidelines set out in CPS 234 and implementing robust cyber security measures, businesses can help to protect their customers and the financial system from cyber threats. By notifying APRA of any cyber security incidents that they become aware of, businesses can also help to ensure that the regulator is able to take appropriate action to protect the interests of customers and the financial system.