APRA CPS 234

APRA Prudential Standard CPS 234 information security compliance

Achieve compliance to APRA CPS 234

The latest Australian Prudential Regulatory Authority (APRA) Prudential Standard CPS 234 (The Standard) which addresses information security, came into effect 1 July 2019.  It aims to mitigate the threat of cyber-attacks by ensuring that APRA-regulated entities take appropriate measures to be cyber resilient.

The Standard applies to all APRA regulated entities, which includes authorised deposit taking institutions (i.e. banks), general insurers, life insurance companies, private health insurers, and registrable superannuation entity licensees.

Download APRA CPS 234 Compliance Guide

 

A summary of APRA CPS 234 requirements

A summary of the Standard’s requirements for APRA-regulated entities is detailed below.  Full details can be found at the APRA site here.

Roles and responsibilities

The Board of an APRA-regulated entity is ultimately responsible for the information security of the entity.

Information security capability

Must actively maintain an information security capability commensurate with the size, changing nature and extent of threats to its information assets, and which enables the continued sound operation of the entity.

Policy framework

Must maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats. The framework must provide direction on the responsibilities of all parties who have an obligation to maintain information security.

Information asset identification and classification

Must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity.

Implementation of controls

Must have information security controls to protect its information assets, including those managed by related parties and third parties.  They must be commensurate with: (a) vulnerabilities and threats to the information assets; (b) the criticality and sensitivity of the information assets; (c) the stage at which the information assets are within their life-cycle; and (d) the potential consequences of an information security incident.

Incident management

Must have robust mechanisms in place to detect and respond to information security incidents in a timely manner.

Testing control effectiveness

Must test the effectiveness of its information security controls, including those of its third parties, through a systematic testing program. It must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.

Internal audit

Internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.

APRA notification

Must notify APRA as soon as possible and, in any case, no later than 72 hours after becoming aware of an information security incident that: (a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or (b) has been notified to other regulators locally or abroad.

Must notify APRA as soon as possible and, in any case, no later than 10 business days, after it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner.

 

How Huntsman Security technology can help

Huntsman Security’s Essential 8 Scorecard and Next Gen SIEM can help you comply with APRA CPS 234 and improve your cyber security posture.

Measure security control effectiveness with the Essential 8 Scorecard

Huntsman Security’s Essential 8 Scorecard is a RegTech technology that measures the effectiveness of your organisation’s security controls; controls designed to defend against cyber attacks and insider threats.  It provides continuous, objective cyber metrics via dashboards and automatically distributed reports to key stakeholders across the business.

Essential 8 Scorecard Trend Reporting

Essential 8 Scorecard – Trend Report

Explore Security Control measurement tools

 

Real-time monitoring  and APRA notification with Next Gen SIEM

Huntsman Security’s Next Gen SIEM undertakes enterprise wide monitoring to increase the chance of early detection and support the investigation and confirmation of what has actually occurred.  All audit and event logs from affected systems are available for immediate retrieval via drill down from alert. Databases and file shares are monitored to explicitly record type, sensitivity and number of records correlated with any activity suggesting loss such as copying, exporting, editing or deleting.

Next Gen SIEM incident response dashboard showing current status

Next Gen SIEM Dashboard – Incident Status

Explore Compliance SolutionsExplore Next Gen SIEM

 

Find out more about APRA CPS 234 compliance 

Request More Info