APRA Prudential Standard CPS 234 comes into effect on Monday 1 July 2019. The standard aims to bolster the cybersecurity readiness of APRA-regulated entities and minimising the likelihood and impact of incidents on confidentiality, integrity or availability of information and information systems.
CPS 234 largely reflects APRA’s previous practice guide CPG 234, updating and adding enforceability to the obligations.
Here are the top 8 things you need to know about CPS 234:
- Commencement: CPS 234 commences on 1 July 2019. If your information assets are managed by a third party, you must make sure any new contract entered after 1 July is CPS 234 compliant. For existing contracting, you must be CPS 234 compliant from the earlier of the next renewal date or 1 July 2020.
- Information security capability: You and your IT providers must maintain an information security capability (which includes the totality of your resources, skills and controls) proportionate with the size and extent of threats to your information assets. This includes making similar assessments in relation to related / third parties that manage those assets.
- Policy framework: Your information security policy framework must be proportionate to their exposure to threats. It must outline responsibilities of stakeholders who have responsibilities within that framework (including the Board, senior management, governing bodies and individuals).
- Identify and classify: Information assets, including those managed by related/third parties, must be classified with reference to their criticality and sensitivity.
- Security controls: You and your IT providers must have information security controls to protect its information. These controls must contemplate an asset’s vulnerabilities and threats, criticality and sensitivity, and life-cycle stage, as well as the potential consequences of a cybersecurity incident. This extends to making similar assessments in relation to related / third parties that manage those assets.
- Incident management: CPS 234 requires that you and your IT providers have mechanisms in place to detect and respond to threats in a timely manner, as well as specific response plans for plausible incidents. These must be annually reviewed and tested to verify their effectiveness and suitability.
- Testing and audit: You and your IT providers must carry out appropriate testing of the security controls protecting your data. Testing must be conducted by skilled and functionally independent specialists, with the testing program is to be reviewed annually or in response to material changes. You must also include a review of the design and effectiveness of security controls, including those of related/third parties, in their internal audit activities.
- Incident notification: You must notify APRA as soon as possible, but no later than 72 hours, after becoming aware of an information security incident that did, or had the potential to, materially affect stakeholders, or one that has been notified to other regulators. You must also notify APRA as soon as possible, but no later than 10 days, after becoming aware of material information security control weakness which you won’t be able to remediate in a timely manner.
Authors: Michael Caplan, Mark Ferguson and Matthew Scrocca