Financial services organizations have long been a target for malicious actors. In November 2020, the Australian Prudential Regulation Authority (APRA) announced that it would be strengthening its enforcement of Cross-Industry Prudential Standard (CPS) 234. Although CPS 234 has been around since 2018, the regulatory body has remained lenient in its enforcement. However, with more stringent enforcement on the horizon, understanding the APRA CPS 234 becomes more important for organizations that need to prove compliance.
APRA is the regulatory authority for Australia’s financial services industry. CPS 234 sets out a series of guidelines for financial services organizations so that they can maintain cybersecurity resiliency and continue to protect sensitive data.
CPS 234 has four key requirements:
At a high level, CPS 234 applies to any APRA-regulated entity. The standard falls under sections of the following laws:
On a more detailed level, CPS 234 specifically references the following:
CPS 234 consists of thirty-six paragraphs, twenty-four of which discuss how the governing body expects covered organizations to mature their security programs. Within those twenty-four paragraphs, nine basic requirements outline how APRA expects covered organizations can better secure data.
Under this standard, organizations need to assign cybersecurity responsibilities across all leadership and departments. This includes:
Specifically, CPS 234 requires robust governance by the covered entity’s Board of Directors.
The information security capability requirement focuses on creating governance capabilities and documentation. This includes:
At this level, covered entities should be focusing on how to maintain resiliency by ensuring they understand all risk to their data, including supply chain cybersecurity risk. In a footnote, APRA specifically points out:
For the avoidance of doubt, paragraph 16 of this Prudential Standard applies to all information assets managed by related parties and third parties, not only those captured under agreements with service providers of outsourced material business activities.
This footnote indicates that covered entities should create a detailed list of all third parties with whom they do business or share customer information.
Taking risk into account, all regulated entities need to maintain an information security policy framework. This includes:
Under CPS 234, covered entities need to ensure that they know what sensitive data they collect, store, and transmit. This includes:
In order to protect data, covered entities need to put security controls in place for all data, including information managed by related parties and third parties. The controls implemented should be risk-based, taking the following into account:
Additionally, this section also incorporates a footnote that related parties and third parties are not confined to agreements and outsourced activities.
Data protection must also consider how the covered entity responds to events. This includes:
Out of all the CPS 234 subsections, this one has the most details. Under this section, covered entities must:
In order to prove governance, all covered entities must conduct an independent audit. This should include:
Like many other information security requirements, APRA’s CPS 234 incorporates a section regarding incident notification. This includes:
GRC360 enable organizations to reduce the costs associated with APRA CSP 234 compliance. Our security ratings platform provides viability into covered entities’, related parties’, and third parties’ security posture across ten categories of risk, including patching cadence, IP reputation, DNS health, network security, web application security, and endpoint security.
Covered entities gain at-a-glance visibility into risk with GRC360’s easy-to-read security ratings that use an A-F scale. For organizations that need to engage in third party security monitoring, our Atlas platform leverages our security ratings’ risk data to compare questionnaire responses to the data we collect. This enables real-time assurance over third party risk for a more robust compliance program.
As organizations move toward enhancing their compliance programs to meet CPS 234 requirements, they can create an end-to-end program based on data and metrics by partnering with GRC360.