CPS-234 is a prudential standard that was announced by APRA on November 7, 2018 and applies to all APRA regulated entities, which includes all authorised deposit-taking institutions (ADIs), general insurers, life companies, private health insurers, RSE licensees etc.
What is a Prudential standard?
A prudential standard from APRA is enforceable unlike the Prudential Practice Guides (PPG) which are created as a guide for the entities, but are not enforceable. In the case of CPS-234, this means all entities are required to be compliant to the CPS-234 before the 1st of July 2019, except some organisations which may have a delayed enforcement date due to the nature of their business or if they have engaged a third party to provide them with services.
Why this prudential standard?
Cyber-attacks and breaches have become a growing concern in the past few years. It is important that regulators such as APRA develop standards to shore up the ability of regulated entities to defend themselves and the sensitive information they hold for their customers.
CPS-234 prudential standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats. APRA states the key objective behind creating this prudential standard is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.
This prudential standard also states that the Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security. This is done to ensure board members are actively involved, fully support and regularly monitor the entity’s information security programme.
How can organisations comply?
I have seen some organisations are in the market for new technology because they have done a quick self-assessment and come to the conclusion that a technology solution will help them comply to CPS-234 but the discussion on what benefits will the said technology bring, what use cases will it address and how will it tie in to the broader company policy, framework and process is not mapped out. This approach may lead to an organisation buying multiple technologies (overspend) that all overlap in features (doubling up) and don’t necessarily map back to a specific business objective or goal (no 2-way traceability). Not to mention, the technology you just bought may not be the top priority your organisation needs to address.
Therefore, before any investment is made in technology for complying to CPS-234, the first and foremost exercise that has to be conducted by business or IT leaders should be a Gap Analysis. A Gap Analysis is an engagement where an experienced assessor understands the detailed requirements of CPS-234, understands your business, it’s values, structure, objectives and goals to then assesses your organisation against these requirements to give you a report of where you are as an organisation vs where you need to be. The gap analysis report will contain a roadmap of areas to improve in order of priority and with detailed information on what needs to be addressed in which area.
Once your organisation has visibility of where it stands and what the roadmap is, then you can either internally or by engaging a specialist third party like Content Security embark on ticking of the roadmap items
This will enable the organisation to spend the budget they have in the most sensible way and to get more value from the investment made. The benefit of this approach is that you end up spending on components that are top priority and have a clear visibility of which initiatives will give you the most amount of improvement in your security posture.
Lastly, keep in mind that CPS-234 is not just another compliance. CPS-234 closely adheres to the requirements of ISO 27001 as the internationally acceptable information security management system standard that ensures effectiveness and efficiency within security controls.
Content Security is currently assisting clients on their journey to achieving CPS-234 compliance. For more information, get in contact today.