CPS 234 Compliance Solution

Who Should Comply with CPS 234?

CPS 234 covers all APRA regulated entities, such as:

• Banks, credit unions & other authorised deposit-taking institutions (ADIs)
• Life insurance companies
• Superannuation funds
• General insurers
• Friendly societies
• Private health insurers
• Non-operating holding companies

Entities mentioned above hold important personally identifiable information and protected health information that cyber attacks would target during an attack.

CPS 234’s Information Security Capability Requirements

Under CPS 234, you have information security capability requirements that you have to meet.

This requires:

• Your organisation maintains an information security capability corresponding to your information assets’ size and extent of threats
• Evaluate the information security capabilities of related entities or third parties who manage information assets on behalf of the organisation
• Ensure your organisation maintains its information security capability and updates vulnerabilities and threats resulting from changes to assets or environment

To meet these requirements, regulated entities typically review the adequacy of resourcing, including funding and staffing resources and timely access to necessary skill sets.

CPS 234’s Information Security Policy Requirements

Entities regulated by APRA must maintain an information security policy framework that reflects their exposure to vulnerabilities and threats. The responsibilities of all parties that have an obligation to maintain information and data security should be given direction by your organisation’s policy.

The framework is typically structured as a hierarchy with higher-level policies supported by guidelines and procedures.

There are many common areas addressed in the policy framework, such as:

• Identification, authorisation, and granting of access to data assets
• Information security requirements should be considered at each stage in the life cycle of an asset (from acquisition through to decommissioning and destruction)
• The management of information security technology, including firewalls, anti-malware software, intrusion detection, intrusion prevention software, cryptographic systems and monitoring tools
• An overarching information security architecture is designed by identifying the approach for creating your IT environment from a security perspective
• Monitoring and incident management involves identifying, classifying, reporting, and escalating incidents. It also includes preserving evidence for investigation purposes
• Expectations when using third parties and related parties to maintain information security
• Acceptable use of information assets that comply with end-user responsibilities, including staff members, third parties, associates and customers
• Recruitment and screening of staff members and contractors
• Mechanisms to assess and measure compliance and the ongoing effectiveness of the information security policy framework

This framework would typically be consistent with other entity frameworks, such as risk management and service provider management.

CPS 234’s Information Asset Identification & Classification Requirements

APRA-regulated entities are obligated to classify information assets, including those managed by related parties and third parties.

This includes infrastructure and ancillary systems, such as environmental control systems & physical access control systems. It also encompasses information assets managed by third parties or related parties.

The relationships between sensitive or critical information assets and other assets that may have less significance but can be used to violate the security of those assets.

Additionally, this should reflect the extent to which information security incidents have the potential to affect – financially or otherwise – an entity or its customers.

Companies must have a classification methodology to label what constitutes an information asset to ensure that stakeholders are informed and aware. This method also provides context about granularity considerations and how assets are rated depending on their criticality or sensitivity. Note that assets can be given different ratings for criticality and sensitivity.

It’s common for entities to leverage their existing business continuity impact analyses – which typically assess criticality and other sensitive processes – to conduct the sensitivity analysis.

CPS 234’s Information Security Control Requirements

To comply with CPS 234, APRA regulated entities must implement information security controls to protect their data assets promptly and proportionate to the threat that they are facing, corresponding with:

• Identify existing & rising vulnerabilities and threats that could be critical to essential data assets
• The life cycle stage of an information asset
• The potential consequences of a data security incident

What are CPS 234’s Incident Management Requirements?

According to CPS 234, all APRA-regulated entities must have robust mechanisms to detect and respond to information security incidents as soon as possible.

There are many detection mechanisms for information security, including scanning, sensing, monitoring and logging solutions. These security controls will be more robust and more varied depending on the impact of a potential security incident, typically covering these broad categories:

• Physical hardware
• Higher-level activities like payments
• Changes to user access

What are CPS 234’s Control Testing Requirements?

CPS 234 requires regulated entities to perform systematic testing on information security controls of a nature and frequency corresponding to:

• The rate at which new vulnerabilities and threats come about
• The risks associated with being exposed to environments where the entity cannot enforce its information security policies
• The importance and sensitivity of the information asset(s)
• The consequences of a data security incident
• The significance and frequency of changes to information assets

Security controls need to be tested at least annually or whenever there is a material change in information assets or the business environment so that you can know if they are still effective and valid. To ensure that tests are successful, it’s essential to define the criteria for success clearly and when re-testing will be necessary.

Testing should be done by appropriately skilled, independent specialists who don’t have any conflicts of interest and can provide a fair evaluation.

What are CPS 234’s Internal Audit Requirements?

Reliable information security control assurance must be provided by skilled personnel. In addition, the internal audit function has to assess the information security control assurance provided by related or third parties in cases where:

• An information security incident that affects an entity’s information assets can have a long-term financial impact and the ability to harm customers
• Internal audits intend to rely on the information security control assurance provided by the related party or third party

If the assessment reveals a deficiency or if there is no assurance of meeting requirements, the issue is commonly raised with the Board for consideration.

When Must APRA Be Notified Under CPS 234?

APRA needs to be informed as soon as possible and no later than 72 hours after the entity is made aware of a security incident.

These are incidents that:

1. Could have had a substantial impact on or could substantially affect financially or non-financially the interests of depositors, policyholders, beneficiaries, and other customers
2. Have informed other regulators in Australia or other jurisdictions

When notifying APRA, they expect information to be provided, such as:

• Regulated entity name
• Date & Time of the incident
• When the incident was assessed as material
• Type of incident
• Description of the incident
• What the current status is
• Actions taken or planned

APRA must be informed as soon as possible and no later than ten business days after you become aware of an information security control weakness that the company cannot fix in time.

What Differences Are There Between CPS 234 and ISO 27001?

One key difference between the two standards is how they are enforced. Organisations achieving ISO 27001 certification must renew their certification every three years, with regular surveillance audits during this period. CPS 234 does not have a certificate; instead, APRA has many formal and informal enforcement tools.

Non-formal approaches include working with companies to identify and address problems before they threaten their ability to deliver on their promises.

Nevertheless, APRA is prepared to take enforcement action when appropriate – this can include court-based action or instructing companies to take or stop particular actions.

While ISO 27001 is recognised globally, APRA created the CPS 234 standard to meet the growing need for cyber security among entities found in the financial services industry. ISO 27001 is a much more comprehensive information security standard, and it applies to businesses in various sectors no matter their size, type or location.

CPS 234 was created to work in unison with ISO/IEC 27001, with requirements aligned with clauses and security controls outlined in ISO 27001. Both standards are designed to boost an organisation’s information security. Any business or organisation that is ISO 27001 accredited should have an easier time meeting CPS 234 requirements.

How Can Companies Be Prepared for Audits of CPS 234?

As you can see, there’s a lot to do to ensure compliance. The most manageable requirement to fulfil is ensuring that all cyber security staff have clearly defined, articulated, and communicated responsibilities across the organisation.

One of the biggest challenges to CPS 234 compliance can potentially be a lack of guidelines and practical application when it comes to third parties.

How ISMS.online Help

Our platform comes with various pre-built frameworks you can adopt, adapt, or add to, depending on your organisation’s unique needs. Or you can easily build your own for bespoke compliance projects.