APRA CPS 234: APRA Assessment

Are you a financial institution or an insurance firm? StickmanCyber can help review your current cybersecurity framework against the requirements of APRA 234, identify compliance issues, and provide recommendations for remediation.

SPEAK TO AN EXPERT

What is APRA CPS 234?

This Prudential Standard is designed to ensure that APRA-regulated entities implement measures to enhance resilience against information security incidents, including cyberattacks. It requires maintaining an information security capability that aligns with the organization's vulnerabilities and threat landscape.

A primary objective is to reduce the likelihood and impact of security incidents that could compromise the confidentiality, integrity, or availability of information assets, including those managed by related or third-party entities.

Ultimately, the Board of an APRA-regulated entity holds responsibility for ensuring the organization's information security is effectively maintained.

Key requirements under APRA CPS 234:

Define Roles and Responsibilities

Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals

Maintain information security capability

Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

Implement Effective Controls

Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls

Notify APRA

Notify APRA of material information security incidents.

What Kind of Organisations does APRA CPS 234 apply to?

CPS 234 applies to all APRA-regulated entities. These include:

Banks, credit unions and other authorised deposit-taking institutions (ADIs)
Superannuation funds
Life insurance companies
Friendly societies
General insurers
Non-operating holding companies
Private health insurers.

It is important to note that from July 1, 2020, onwards all third parties that handle information assets from the above-listed organisations will also have to comply with CPS 234.

CPS 234 also applies to certain foreign entities. These include:

Foreign ADIs
Foreign General Insurers
Foreign life insurance companies

START YOUR ASSESSMENT

Why is APRS CPS 234 relevant today?

Organisations in the finance industry have become especially lucrative targets for these criminals due to the high amount of financial reward and access to personally identifiable information (PII) and protected health information (PHI) that these organisations hold.

This trend has been helped by lacklustre information security and an overreliance on the use of technology and third party vendors by superannuation, banking and insurance companies, in an attempt to increase customer satisfaction and operational efficiency. In consequence, internal and external stakeholders have increased their expectations when it comes to securing information assets.

CPS 234 can help APRA regulated entities to reduce cyber risk and increase their overall cyber security posture by ensuring that their information security takes into account their vulnerabilities and threats. The CPS 234 also ensures that organisations give more attention to vendor risk management so that incidents involving third parties are reduced.