APRA CPS 234 Information Security Standard: A Guide to Compliance

Set by the Australian Prudential Regulation Authority, the CPS 234 Information Security standard introduced in 2019 aims to ensure that APRA-regulated entities operating in the financial sector have sound and effective information security practices to protect their sensitive data from cyber threats. By adhering to this standard, financial institutions enhance their security posture, mitigate cyber risks, safeguard company data, and build trust and confidence.

In the past decade, cybercrime has seen a sharp increase. Malicious actors are finding more sophisticated and ingenious ways to compromise information assets – causing significant financial and reputational damage to businesses in Australia and worldwide. Financial institutions are especially susceptible due to the large amount of financial data and access to personally identifiable information that these organizations hold. Lacklustre information security systems, and a reliance on technology and third-party vendors by insurance, banking, and superannuation companies are exacerbating these problems.

The CPS 234 represented a huge leap in strengthening the financial service industry’s information security processes. The CPS 234 framework is designed to ensure that APRA-regulated entities maintain robust information security and operational resilience practices – protecting themselves and their customers from cyber risks.  CPS 234 also requires organizations to give more attention to IT vendor risk management ensuring incidents involving third parties are reduced.

Successfully understanding and integrating this regulation is not just a matter of compliance but a strategic imperative. It goes into the very core of how financial services institutions operate, safeguard information, and ultimately, how they uphold trust.

This blog explains what CPS 234 is, who must comply, and shares best practices for meeting the key information security requirements in the standard. And more importantly it shares how software can support organizations to implement process that align with CPS 234 requirements. 

What is CPS 234?

Set by the Australian Prudential Regulation Authority (APRA), CPS 234 for Information Security is a prudential standard aimed at APRA-regulated entities operating in the financial sector. Its main objective is to ensure that these organizations have sound & effective information security practices in place to minimize the likelihood and impact of information security risks and incidents. It is designed to protect the confidentiality, and integrity of information assets, including those managed by related third-party service providers.

The standard requires senior management to establish and maintain a comprehensive security policy framework, manage cyber risk, implement robust security controls, and define clear accountability for security roles and responsibilities. To align with CPS 234 requirements, entities must also have incident response plans and be able to respond effectively to potential security incidents. Regular testing and independent verification of controls for information technology assets are also a key requirement under CPS 234 to ensure ongoing compliance.

Why is CPS 234 important?

Cyber-attacks are increasing in impact, frequency, and sophistication, with perpetrators continually refining their efforts to compromise networks and systems. The CPS 234 information security framework for Australian financial organizations is important to ensure APRA–regulated entities are resilient to cyber-attacks and other information security risks. The standard also requires entities to respond promptly should a security incident occur.

CPS 234 is important for APRA-regulated entities. Heightened expectations from stakeholders including senior management, the Board, shareholders, regulators, and customers regarding the effective safeguarding of information assets has driven a need for more robust IT security measures – understanding the requirements of CPS 234 is therefore crucial for all APRA- regulated entities in the financial sector.

Who is CPS 234 relevant to?

CPS 234 applies to all legal entities regulated by the Australian Prudential Regulation Authority namely:

• Banking organizations, credit unions, neobanks, or any other authorized deposit-taking institutions
• Insurance companies
• Superannuation funds
• Non-operating holding companies
• Life companies and friendly societies
• Private health insurance companies

These entities are responsible for maintaining information security systems and practices that are appropriate for the threats they face. Furthermore, where an APRA-regulated entity’s information assets are managed or held by a third party, the requirements in CPS 234 also apply to the third-party.

What are the key requirements of CPS 234?

The intention and structure of CPS 234 is designed to promote and encourage good security practices within financial institutions and put adequate responsibility and accountability on the Board. The CPS 234 Information Security standard requires firms to implement the following practices.

Define roles and responsibilities including board involvement: According to CPS 234, the Board of an APRA-regulated entity is ultimately responsible for the information security of the organization. The Board should provide management with a clear outline of how it expects to be engaged in information security and provide guidance around the processes for risk escalation and any reporting requirements. Furthermore, organizations must have clearly defined information security-related roles with clear responsibilities for the Board and senior management regarding responsibility for decision-making, approvals, operations, and other information security processes. These provisions are designed to encourage the formation of cross-functional teams to provide proper oversight and governance on information security.

Maintain an information security capability with effective cyber risk management: An APRA-regulated entity must maintain information security measures appropriate with the size and extent of the threats to its information assets to ensure data is safe and the organization remains operational. This includes the ability to identify and manage cyber risks & vulnerabilities through regular risk assessments and testing. Firms must establish a cyber risk register, define Key Risk Indicators (KRIs), monitor risk levels, and take the appropriate actions to keep cyber risk within tolerable levels.

Manage third-party IT risk: CPS 234 requires firms to regularly assess the information security capability of third parties and continuously monitor threats.  This includes using third-party risk assessments to identify potential risks, using third party intelligence tools to understand risk relating to each vendor, and monitoring performance against SLAs and KPIs. Organizations must establish remediation recommendations based on vendor risk assessment results to ensure that third party risks are addressed promptly. 

Have adequate cyber security policies: The policy framework guidelines in CPS 234 require an APRA-regulated entity to maintain an information security policy library commensurate with its exposures to vulnerabilities and threats. This ensures that internal teams and third parties are aware of information security policy requirements and adhere to them and that they are regularly evaluated.

Information asset identification and classification: This CPS 234 provision requires APRA-regulated organizations to classify their information assets by criticality and sensitivity, including those managed by third parties and related parties. These rankings must reflect the degree of which an information security incident affecting that asset could affect the organization and its finances, operations, policyholders, and customers. To jump-start this process, teams must define a methodology to track and quantify data risks and monitor these on an ongoing basis.

Criteria used to classify data assets might include financial impact, reputational impact, its exposure to operational or client-facing processes, its criticality to business performance and operations, its criticality to business performance & operations, and any related legal or regulatory considerations.

Implementation of controls: To comply with CPS 234, organizations must have information security controls to protect critical information assets. Firms must identify existing and rising vulnerabilities and threats for each data asset, classify the criticality and sensitivity of the asset, understand the life cycle stage of all information assets, and document the potential consequences of a data security incident.

Control testing: An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. This includes controls for any data assets managed by third parties. Testing must align with the rate at which vulnerabilities and threats change, the criticality & sensitivity of the data asset, the consequences of an information security incident, any areas where the organization is unable to enforce its information security policies, and the frequency of change to information assets.

Any control deficiencies that cannot be remediated promptly must be escalated to senior management and the Board to ensure swift resolution. 

Cyber incident management: APRA-regulated entities are also required to have a series of policies and procedures in place to detect and respond to information security incidents in a timely manner. This includes incident reporting, escalation, and resolution.

Implementing a well-tested and proven cyber incident management process is key to accelerating incident discovery and mitigation. Firms must ensure employees know when and how to report a cyber incident and they must have clearly defined processes for escalation and remediation. 

Cyber audits: In this category, an APRA-regulated organization’s internal audit function must include a review of the design and operating effectiveness of information security controls – including those maintained by third parties. Teams can standardize information security assessments against information security control frameworks such as ISO 27001, COSO, or SOC 2. By doing so, IT security and internal audit teams can implement a central methodology for measuring and demonstrating adherence to internal IT controls and ensure a consolidated view of their information security system. 

Process to notify APRA: In the final category of requirements, entities must notify APRA within 72 hours after becoming aware of a material information security incident, and within 10 business days after it becomes aware of an information security control weakness that cannot be remediated effectively and promptly. 

To meet this requirement, teams must ensure effective reporting channels. Teams can use risk monitoring and control testing data to highlight potential problems, and relevant stakeholders can decide if APRA notification is required and escalate accordingly. 

How can GRC software help with CPS 234 compliance?

GRC software can support APRA regulated entities to successfully manage the prudential CPS 234 information security standard in the following key areas:

Manage IT and cyber risks: GRC software empowers organizations to meet CPS 234 requirements by offering a framework to implement a best-practice IT risk management program. By identifying cyber risks, creating IT & cyber risk registers, and conducting online cyber risk assessments in the platform, teams can get a holistic view of cyber risk exposure. Regulated entities can establish Key Risk Indicators (KRIs) and continuously monitor risk levels. Automated workflows facilitate risk escalation and the implementation of risk treatment actions.

Set controls to reduce cyber risk: GRC software provides a best-practice framework for companies to set controls to manage cyber risk. Firms can capture critical details around vulnerabilities and threats, the critically and sensitivity of the data, the stage at which the information assets are within their lifecycle, and the consequences of a security incident. Controls can be linked to the relevant data set and any corresponding cyber risks in the risk register.

Testing and control effectiveness: CPS 234 enabled GRC software enables APRA-regulated entities to establish a control testing program that aligns with the rate at which threats & vulnerabilities change, considers the criticality & sensitivity of the data, examines the consequences of a security incident, considers exposure to environments where IT policies can’t be enforced, and the frequency of change to information assets. Organizations can also perform control tests for controls relating to relevant third parties who hold company data. Any control deficiencies can easily be reported to the relevant stakeholder and automated workflows allow for swift escalation & resolution of control inefficiencies.

Third-party risk management: GRC software enables firms to implement a best-practice third-party risk management process to effectively oversee the cyber risks and contractual arrangements with service providers. Firms can create a vendor library that captures essential data on contract details, SLAs, and KPIs, and relevant controls – and monitor ongoing performance against key metrics. Staff, vendors, and suppliers can conveniently complete questionnaires, surveys, and vendor risk assessments online – with all data feeding into the platform, building a profile of each vendor. Firms can utilize dashboards and reports to easily track vendor performance and cyber third-party risks. Many GRC solutions connect with third-party risk intelligence providers enabling them to view information about the financial stability, ethical considerations, legal and regulatory issues, and cybersecurity posture of each third party they work with.

Demonstrate compliance with CPS 234 and other standards & regulations: GRC software enables organizations to set up an obligations library and include any applicable regulations and any internal IT policies and monitor compliance by implementing step-by-step workflow processes and checks. Teams can receive regulatory update notifications from third-party regulatory content providers straight into the platform and implement a best-practice regulatory change management process to ensure all operations align with the relevant regulatory requirements.

Manage IT policies and ensure compliance: Leverage GRC software to establish an IT policy library and manage policy changes, approvals, signoffs, and attestations within the platform. Organizations can capture critical details regarding each policy and view reports on policy compliance and employee attestations. Policies can easily be linked to the relevant risks, controls, audits, and compliance requirements.

Manage cyber audits: Effectively plan and schedule any internal and external cyber audits. Firms can use best-practice workflows and forms to plan out and schedule audit requirements and internal auditors can complete the findings using online forms. All findings are captured in the platform and any recommendations can be implemented using best-practice case management workflows. Track recommendations and actions by linking audits back to risks and risk treatments where relevant. This provides complete end-to-end traceability and enables reporting to key stakeholders.

Manage & resolve cyber incidents: To align with the CPS 234 standard, most GRC software includes best-practice incident reporting capabilities to support organizations to effectively report and resolve cyber incidents quickly in line with CPS 234 requirements. Controls can easily be implemented to lower incident rates and cyber risks can be mapped to any related cyber incidents to ascertain the likely cause using root-cause analysis techniques. Firms can easily report on incident rates and implement new measures to reduce recurrence – bolstering continuous improvement efforts.

APRA notification workflow: Firms are required to have a formal escalation process in place to notify APRA of potential information security incidents and information security control weaknesses. GRC platforms enable firms to implement workflows to ensure stakeholders are promptly notified of any cyber incidents and ineffective controls enabling them to notify APRA within the designated timeframe and fully document the notification process. Send alerts via email or SMS with a direct link to the platform – enabling staff to carry out the necessary escalation actions.

Enhance your Organization’s Information Security Capabilities with CPS 234 Software

The CPS 234 prudential standard requires APRA-regulated entities across Australia to take measures to be resilient against cybercrime by maintaining an information security capability commensurate with their information security vulnerabilities and threats.

While the intention and structure of CPS 234 have been established to promote and encourage good security practices within financial institutions and put due responsibility and accountability on the Board, complying with these guidelines can be a complex process if not supported with the right software solution.

Request a demo today to learn how the Camms software can support your organization to implement structured, best-practice processes to meet CPS 234 requirements.