Achieve compliance to APRA CPS 234
The latest Australian Prudential Regulatory Authority (APRA) Prudential Standard CPS 234 (The Standard) which addresses information security, came into effect 1 July 2019. It aims to mitigate the threat of cyber-attacks by ensuring that APRA-regulated entities take appropriate measures to be cyber resilient.
The Standard applies to all APRA regulated entities, which includes authorised deposit taking institutions (i.e. banks), general insurers, life insurance companies, private health insurers, and registrable superannuation entity licensees.
A summary of APRA CPS 234 requirements
A summary of the Standard’s requirements for APRA-regulated entities is detailed below. Full details can be found at the APRA site here.
Roles and responsibilities
The Board of an APRA-regulated entity is ultimately responsible for the information security of the entity.
Information security capability
Must actively maintain an information security capability commensurate with the size, changing nature and extent of threats to its information assets, and which enables the continued sound operation of the entity.
Must maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats. The framework must provide direction on the responsibilities of all parties who have an obligation to maintain information security.
Information asset identification and classification
Must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity.
Implementation of controls
Must have information security controls to protect its information assets, including those managed by related parties and third parties. They must be commensurate with: (a) vulnerabilities and threats to the information assets; (b) the criticality and sensitivity of the information assets; (c) the stage at which the information assets are within their life-cycle; and (d) the potential consequences of an information security incident.
Must have robust mechanisms in place to detect and respond to information security incidents in a timely manner.
Testing control effectiveness
Must test the effectiveness of its information security controls, including those of its third parties, through a systematic testing program. It must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.
Internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
Must notify APRA as soon as possible and, in any case, no later than 72 hours after becoming aware of an information security incident that: (a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or (b) has been notified to other regulators locally or abroad.
Must notify APRA as soon as possible and, in any case, no later than 10 business days, after it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner.
How Huntsman Security technology can help
Measure security control effectiveness with the Essential 8 Scorecard
Huntsman Security’s Essential 8 Scorecard is a RegTech technology that measures the effectiveness of your organisation’s security controls; controls designed to defend against cyber attacks and insider threats. It provides continuous, objective cyber metrics via dashboards and automatically distributed reports to key stakeholders across the business.
Essential 8 Scorecard – Trend Report
Real-time monitoring and APRA notification with Next Gen SIEM
Huntsman Security’s Next Gen SIEM undertakes enterprise wide monitoring to increase the chance of early detection and support the investigation and confirmation of what has actually occurred. All audit and event logs from affected systems are available for immediate retrieval via drill down from alert. Databases and file shares are monitored to explicitly record type, sensitivity and number of records correlated with any activity suggesting loss such as copying, exporting, editing or deleting.
Next Gen SIEM Dashboard – Incident Status