What is APRA CPS 234?
The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.
Australian Prudential Regulatory Authority (APRA) introduced the Prudential Standard CPS 234 that came into effect as of the 1st July 2019. The standard addresses information security for ‘APRA regulated entities’, these entities include;
- Deposit taking institutions (ie banks)
- General insurers
- Life insurance companies
- Private health insurers
- Registrable superannuation entity (RSE) licensees.
The scope objective of the standard is to ‘minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties’. To do this the standard is broken up into 9 key areas that consists of;
- Roles and responsibilities
- Information Security Capability
- Policy Framework
- Information asset identification and classification
- Implementation of controls
- Incident management
- Testing control effectiveness
- Internal audit
- APRA notification
Key requirements of this Prudential Standard are that an APRA-regulated entity must:
- Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
- Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
- Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
- Notify APRA of material information security incidents.
How can Vectra help?
Vectra has the resources to help you achieve CPS 234, it can be achieved through
- CPS 234 Gap assessment
- Risk remediation plan
- Ongoing monitoring and assurance