Clarifying APRA CPS 234

By John Gates

July 10th, 2019

The Australian Prudential Regulation Authority (APRA) is responsible for regulations in Australia's financial bodies such as banks, insurance, and superannuation companies. As a result of the emerging amount of information on security incidents and cyber-attacks, APRA recently published a set of rules regarding information security handling- the CPS 234. Currently, APRA supervises institutions holding 6.5$ trillion in assets such as banks, credit unions, life insurance companies, building societies, health insurers, general insurers, and members of the superannuation industry. Moreover, because of the sensitive nature of the information held by these entities, APRA is fast-tracking the implementation of its new standard, the CPS 234, and requires compliance by the 1^st of July 2019. Compliance instructions are deeply detailed in a guideline published by APRA, the CPG 234. In the CPG 234, you'll find key points and actions that must be accomplished in order to achieve CPS 234 compliance.

Key points in the APRA CPS 234:

This regulation aims to ensure that an APRA regulated entity takes measures to make itself resilient against information security risks by maintaining an information security ability that suite information security threats. The key objective is to try to minimize the likelihood of impact on confidential information and assets that contain the information as much as possible, including those that are managed by related or third parties.

The Board of an APRA regulated organization is responsible for maintaining the organizations' information security. The key requirements of this standard are that an APRA regulated organization must:

Roles Definition- define information security-related roles of the Board, the senior management, governing bodies, and individuals.
Maintain Security Capabilities- maintain information security abilities that commensurate with the assets' threats size and the extent and enables sound operation of the entity.
Implement Security Controls- implement security controls to protect information assets, respectively to their criticality and sensitivity. Undertake systematic testing to ensure the effectiveness of those controls.
Incident Management- an entity must maintain plans to respond to information security incidents that the entity estimate that might occur. Those plans must include the mechanisms in place for:
*Managing all stages of an incident, from detection to post-incident review.
*Escalation and reporting of information security incidents to the Board and other responsible for this type of incident management.
Communication and responsiveness are the keys here. Therefore, those plans must be reviewed annually to ensure they remain effective.
Testing Control Effectiveness- CPS 234 requires entities to test the effectiveness of their information security controls regularly by using a systematic testing program. Testing frequency must be commensurate with:
*Vulnerabilities and threats change rates.
*The criticality and sensitivity of the information asset.
*The possible consequences of information security occurs incident.
*The exposure to environments not regulated by APRA thereby implements different security policies.
*The materiality of the asset and the frequency of changes in the asset.
Notify APRA- in any case of a security incident. No later than 72 hours if an information security breach occurs, regardless of the assets affected. No later than 10 business days, after learning of information security control weakness.

APRA CPS 234 particularly focus on third-party risk and notification on data breaches:

CPS 234 contains a directed intention to information assets managed by a related party or third-party entities. Here are some examples of the requirements with notifications regarding third-party entities:

Related or third parties that hold APRA regulated entities’ assets must be assessed by APRA regarding their information security capabilities.
Information security control must also protect assets managed by related or third parties.
APRA regulated entity must evaluate the related or third party's information security controls if their information assets are managed by this related or third party. In addition, the APRA regulated entity must make sure that the related or third party's nature and frequency of testing of the controls comply with APRA CPS 234 requirements.
APRA regulated entities' audit must include the information security control provided by a related party of the third party.

The bottom line, related parties and third parties that manage APRA regulated entities' information assets must have CPS 234 compliance. This must be implemented the earlier of the next renewal date of the contract with the third party or the 1^stof July 2020.

With the release of CPS 234, a set of guidelines was also released by APRA- the CPG 234. The CPG 234 contains an accurate set of actions to be performed to achieve CPS 234 compliance. The CPG 234 will be discussed in future blog posts.

https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf

https://www.upguard.com/blog/apra-cps-234-information-security-prudential-standard

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Clarifying APRA CPS 234

Key points in the APRA CPS 234:

APRA CPS 234 particularly focus on third-party risk and notification on data breaches:

Subscribe to Email Updates

You might be interested

Experience a personalized demo