According to studies, almost 90% of Australian companies report that they receive around 5,000 cyber menaces a day. Australia’s banks and insurers have always been the most attractive targets for cybercriminals.
As this is the case, the Australian Prudential Regulation Authority (APRA) has formulated a brand-new prudential standard to help organizations protect themselves in a better way.
The finalized standard – APRA CPS 234, is intended to make sure that APRA-monitored bodies are more resilient to cyber-attacks, and can expeditiously respond to any security breaches.
So, What is CPS 234?
CPS 234 is an APRA standard that endeavors to make the financial services domain stronger against any information security issues that affect the confidentiality, integrity, and availability of information assets.
As cybercriminals are becoming more and more sophisticated, the new APRA standard has been drafted to ensure that the whole financial industry adopts a holistic information security monitoring program to continuously improve its IT security management systems.
The new standard applies to all the ‘APRA-regulated entities’, including banks, building societies, credit unions, general insurers, life & health insurers, among others.
The New Standard: What Are The Requirements?
- Precise definitions of roles and responsibilities
CPS 234 adamantly states that it is highly essential for an APRA-regulated entity’s information security policy framework to render a clear direction on the roles and responsibilities of the board, governing bodies and other concerned individuals.
- Maintaining information security capability
The new APRA standard emphasis the requirement of an entity to maintain an information security capability that commensurates with the scope of the threats to its information assets. Information security capability refers to skill sets, resources, and controls.
- Information asset classification
Information assets, including those managed by third parties, are to be classified according to their criticality and sensitivity. This procedure of listing should take into account the impact that a security breach could have on the business, customers, key stakeholders, and other individuals.
- Implementing information security controls
APRA-regulated entities need to have information security controls in place to protect information assets, including those maintained by third parties. APRA also requires entities to execute systematic controls testing, with the help of skilled specialists.
- Incident response
CPS 234 states that financial services businesses must maintain proper information security response plans that include the mechanisms for handling various stages of an incident and escalation of information security incidents to the board, the senior management, governing bodies, and other individuals, who are responsible for information security.
- Testing the effectiveness of information security control
Entities must at least annually test the effectiveness of their information security controls through a systematic testing program. Which all security controls should be tested and at what cadence, is to be decided based on the criticality of the concerned assets. Entities would also need to evaluate whether third parties are conducting fair testing.
- Notification of incidents and control of weaknesses
Businesses should inform APRA of any cybersecurity or network security issue occurrences within 72 hours from the moment they become aware of the incidents. Entities should also notify APRA in10 days from being aware of information security control weaknesses, which they can’t remediate on time.
What Should Organisations Do?
The CPS 234 prudential standard may seem terrifying to many organizations finding it hard to comply. What you can do best to ensure your APRA-regulated entity meets the new security standard, is to seek help from an expert cybersecurity company.