Financial services organizations have long been a target for malicious actors. In November 2020, the Australian Prudential Regulation Authority (APRA) announced that it would be strengthening its enforcement of Cross-Industry Prudential Standard (CPS) 234. Although CPS 234 has been around since 2018, the regulatory body has remained lenient in its enforcement. However, with more stringent enforcement on the horizon, understanding the APRA CPS 234 becomes more important for organizations that need to prove compliance.

What is APRA CPS 234?

APRA is the regulatory authority for Australia’s financial services industry. CPS 234 sets out a series of guidelines for financial services organizations so that they can maintain cybersecurity resiliency and continue to protect sensitive data.

CPS 234 has four key requirements:

• Define information security-related roles and responsibilities
• Maintain a risk-based security posture that enables business continuity in response to cybersecurity incidents
• Implement security controls aligned with data asset criticality and sensitivity
• Notify APRA of information security incidents

Who does the APRA Prudential Standard apply to?

At a high level, CPS 234 applies to any APRA-regulated entity. The standard falls under sections of the following laws:

• The Banking Act of 1959 (Banking Act)
• The Insurance Act of 1973 (Insurance Act)
• The Life Insurance Act of 1995 (Life Insurance Act)
• The Private Health Insurance (Prudential Supervision) Act of 2015 (PHIPS Act
• The Superannuation Industry (Supervision) Act of 1993 (SIS Act)

On a more detailed level, CPS 234 specifically references the following:

• Banks:
  • Authorized deposit-taking institutions (ADIs)
  • Non-operating holding companies authorized under the Banking Act (authorized banking NOHCs);
• General and Life Insurers:
  • General insurers
  • Non-operating holding companies authorized under the Insurance Act (authorized insurance NOHCs)
  • Parent entities of Level 2 insurance groups;
  • Life companies, including friendly societies, eligible foreign life insurance companies (EFLICs)
  • Non-operating holding companies registered under the Life Insurance Act (registered life NOHCs);
  • Private health insurers registered under the PHIPS Act;
  • RSE licensees under the SIS Act

What are the primary requirements for complying with the APRA Prudential Standard CPS?

CPS 234 consists of thirty-six paragraphs, twenty-four of which discuss how the governing body expects covered organizations to mature their security programs. Within those twenty-four paragraphs, nine basic requirements outline how APRA expects covered organizations can better secure data.

Roles and responsibilities

Under this standard, organizations need to assign cybersecurity responsibilities across all leadership and departments. This includes:

• Assurance by Board of Directors that organization maintains appropriate risk-based information security program
• Clearly defining information security-related roles and responsibilities across Board of Directors, senior management, governing bodies, and other decision-making stakeholders

Specifically, CPS 234 requires robust governance by the covered entity’s Board of Directors.

Information security capability

The information security capability requirement focuses on creating governance capabilities and documentation. This includes:

• Establishing a risk-based capability for continued business operations
• Establishing a third-party risk management process
• Continuous monitoring over its information security capability to address new vulnerability and threat risks

At this level, covered entities should be focusing on how to maintain resiliency by ensuring they understand all risk to their data, including supply chain cybersecurity risk. In a footnote, APRA specifically points out:

For the avoidance of doubt, paragraph 16 of this Prudential Standard applies to all information assets managed by related parties and third parties, not only those captured under agreements with service providers of outsourced material business activities.

This footnote indicates that covered entities should create a detailed list of all third parties with whom they do business or share customer information.

Policy framework

Taking risk into account, all regulated entities need to maintain an information security policy framework. This includes:

• Providing direction for responsible parties
• Responsible parties include the Board, senior management, governing bodies, staff, contractors, consultants, related parties, third parties, and customers

Information asset identification and classification

Under CPS 234, covered entities need to ensure that they know what sensitive data they collect, store, and transmit. This includes:

• Classifying data based on criticality and sensitivity
• Identifying data managed by related parties and third parties
• Classifying data should consider a security incident’s potential financial and non-financial impact to the interests of:
  • Covered entity
  • Depositors
  • Policyholders
  • Beneficiaries
  • Other customers

Implementation of controls

In order to protect data, covered entities need to put security controls in place for all data, including information managed by related parties and third parties. The controls implemented should be risk-based, taking the following into account:

• Vulnerabilities and threats to data
• Criticality and sensitivity of data
• Life-cycle stage of data
• Potential consequences of an incident
• Related parties’ and third parties’ ability to secure data

Additionally, this section also incorporates a footnote that related parties and third parties are not confined to agreements and outsourced activities.

Incident management

Data protection must also consider how the covered entity responds to events. This includes:

• Mechanisms for detecting and responding to incidents
• Maintaining response plans that include likely threat scenarios
• Mechanisms for all relevant stages from detection to post-incident review
• Mechanisms for escalating and reporting incidents as part of proving governance
• Annual program testing and review

Testing control effectiveness

Out of all the CPS 234 subsections, this one has the most details. Under this section, covered entities must:

• Consider the following:
  • Threat risk changes
  • Data criticality and sensitivity
  • Security incident consequences
  • Potential risks from environments that the entity does not control
  • Materiality and frequency of data changes
• Review related party and third party testing frequency and robustness
• Escalate and report control deficiencies to the Board and senior management
• Ensure independent specialists have the skills necessary
• Review testing program sufficiency at least annually or when a material change to business environment or information assets occurs

Internal audit

In order to prove governance, all covered entities must conduct an independent audit. This should include:

• Review of security control design and operating effectiveness
• Review of related parties’ and third parties’:
  • Information security control assurance
  • Information security incident documentation
• Ensure audit personnel have appropriate skills

APRA notification

Like many other information security requirements, APRA’s CPS 234 incorporates a section regarding incident notification. This includes:

• Providing notification within 72 hours of discovering the incident for any event that:
  • Has potential to financially or non-financially materially impact entity, depositors, policyholders, beneficiaries, or other customers
  • Other regulators in Australia or elsewhere have been notified about
• Providing APRA notification within 10 days of finding a material control weakness that cannot be remediated in a timely manner

GRC360 for APRA CPS 234: Continuous monitoring and assurance

GRC360 enable organizations to reduce the costs associated with APRA CSP 234 compliance. Our security ratings platform provides viability into covered entities’, related parties’, and third parties’ security posture across ten categories of risk, including patching cadence, IP reputation, DNS health, network security, web application security, and endpoint security.

Covered entities gain at-a-glance visibility into risk with GRC360‘s easy-to-read security ratings that use an A-F scale. For organizations that need to engage in third party security monitoring, our Atlas platform leverages our security ratings’ risk data to compare questionnaire responses to the data we collect. This enables real-time assurance over third party risk for a more robust compliance program.

As organizations move toward enhancing their compliance programs to meet CPS 234 requirements, they can create an end-to-end program based on data and metrics by partnering with GRC360.