Skip to content

How do I comply with CPS 234?

Explore some of our latest AI related thought leadership and research

6clicks has been built for cybersecurity, risk and compliance professionals.

Learn more about our Hub & Spoke architecture, Hailey AI engine and explore the other content in our platform here

Developing responsible AI management systems through the ISO/IEC 42001 standard

Using artificial intelligence has propelled global economic growth and enriched different aspects of our lives. However, its ever-evolving nature and...

Incorporating Generative AI into Cybersecurity: Opportunities, Risks, and Future Outlook

Key Takeaways Generative AI is a branch of artificial intelligence that focuses on creating new content with human-like creativity. The rise of...

Understanding RAG: Retrieval-Augmented Generation Explained

Natural Language Processing (NLP) has come a long way in the past few decades. With the goal of enabling more efficient communication between humans...

Responsible AI is here to stay

Artificial Intelligence (AI) and Machine Learning (ML) continue to be a much talked about topic since the release of ChatGPT last year but also well...

Responsible AI in risk management: Diving into NIST’s AI Risk Management Framework

Artificial intelligence has since changed the way we use technology and interact with organizations and systems. AI solutions such as automation and...

The Imperative of Governance to Achieving Responsible AI

AI brings many opportunities to businesses and we can see the AI boom across different industry verticals. However, it also questions who would be...


What is APRA CPS 234?

APRA CPS 234 is a prudential standard set by the Australian Prudential Regulation Authority (APRA) for regulated entities operating in the financial sector. Its main objective is to ensure that these entities have sound and effective security capabilities in place to protect their sensitive information assets from cyber threats. The standard requires senior management to establish and maintain a comprehensive security policy framework, implement robust security controls, and have clear accountability for security roles and responsibilities. These entities must also have incident response plans and be able to respond effectively to potential security incidents. Regular testing and independent verification of security control effectiveness are also key requirements under CPS 234 to ensure ongoing compliance. By adhering to CPS 234, financial institutions can enhance their security posture, mitigate cyber risks, and ensure the trust and confidence of their customers and stakeholders.

Who is required to comply With CPS 234?

CPS 234 is a prudential standard developed by the Australian Prudential Regulation Authority (APRA) to ensure the security of information and information systems within the financial sector. The standard applies to all APRA-regulated entities, including authorised deposit-taking institutions, general insurers, life companies, and RSE licensees.

Authorised deposit-taking institutions, such as banks and credit unions, are required to comply with CPS 234 to safeguard sensitive information assets and protect against cyber threats. General insurers, which include property, casualty, and car insurance companies, must also adhere to CPS 234 to ensure the security of their information systems.

Life companies, involved in the provision of life insurance, as well as RSE licensees, which manage superannuation funds, are required to comply with CPS 234 to enhance the security capabilities of their organizations. These entities play a significant role in the financial sector and are responsible for safeguarding the sensitive financial and personal information of their customers.

Understanding the requirements of CPS 234

Understanding the requirements of CPS 234 is crucial for all APRA-regulated entities in the financial sector. This prudential standard sets out key requirements and expectations for the security of information and information systems, ensuring the protection of sensitive information assets and mitigating cyber threats. It applies to authorized deposit-taking institutions, general insurers, life companies, and RSE licensees, emphasizing the need for robust security controls and capabilities. By complying with CPS 234, these entities can enhance their security frameworks, establish incident response plans, and implement effective security policies and controls. Understanding these requirements enables organizations to meet their obligations, protect their customers, and maintain the trust and confidence of the financial sector.

Security capabilities and controls

Meeting the requirements of CPS 234, the prudential standard issued by the Australian Prudential Regulation Authority (APRA), necessitates robust security capabilities and controls for APRA-regulated entities. These entities, such as financial institutions, friendly societies, and superannuation funds, must ensure the security of their sensitive information assets and protect against cyber threats and vulnerabilities.

To comply with CPS 234, it is essential for APRA-regulated entities to establish effective mechanisms to identify, assess, and remediate both existing and emerging security vulnerabilities and cyber threats. This includes conducting systematic testing and ongoing monitoring to detect and address security control weaknesses promptly.

Maintaining the supportability of hardware and software is crucial to minimize exploitable vulnerabilities within an entity's systems. It is vital to implement secure software development and acquisition techniques to ensure that software functions as intended and aligns with the entity's information security policy framework.

Furthermore, APRA-regulated entities should have incident response plans in place to enable timely access to key information and enable a direct response to potential security incidents. It is also recommended to engage independent specialists to assess the ongoing effectiveness of security controls and provide insights for further improvements.

By embracing these security capabilities and controls, APRA-regulated entities strive to protect themselves against cyber incidents, strengthen their security operations, and safeguard the integrity of the financial sector.

Senior management responsibilities

Senior management plays a vital role in ensuring compliance with CPS 234 and maintaining the information security of an APRA-regulated entity. They bear ultimate responsibility for the entity's security capabilities, controls, and response to potential security incidents.

Good governance is crucial in information security, and senior management must provide effective oversight and guidance to ensure the entity's security posture aligns with regulatory requirements. This includes establishing clear roles and responsibilities throughout the organization, from the board level down, to effectively manage and protect sensitive information assets.

Senior management must communicate the importance of information security to all employees, ensuring a shared understanding of its role in the organization's overall objectives. They must promote a culture of security awareness and accountability, encouraging employees to take ownership of their security responsibilities.

An effective IS policy framework is essential for senior management to communicate their directives to all relevant parties. This framework should include policies, standards, guidelines, and procedures that outline expectations and provide a framework for implementation and compliance. It should address key areas such as risk management, incident response, access controls, training, and ongoing monitoring.

By fulfilling their responsibilities, senior management can drive a strong security culture, enhance the entity's security capabilities, and ensure compliance with CPS 234. Good governance and effective communication of roles and responsibilities are essential to achieving these objectives.

Systematic testing and auditing activities

Systematic testing and auditing activities play a crucial role in complying with CPS 234, the prudential standard set by the Australian Prudential Regulation Authority (APRA) for information security. Internal audit activities are essential for ensuring the effectiveness and adherence of information security controls.

To comply with CPS 234, internal audit activities need to include a thorough review of the design and operating effectiveness of information security controls. This includes controls maintained by related parties and third parties. It is important to assess the controls implemented by these parties to ensure they align with the entity's information security requirements.

Various information security control frameworks can be used as a reference during systematic testing and auditing activities. These frameworks include SOC 2, Cyber Essentials, and ISO standards. By adopting these frameworks, entities can enhance their information security posture and align with industry best practices.

In addition to internal audits, standardized information security assessments can be conducted to measure adherence to internal IT controls and assess the controls implemented by third parties. These assessments provide a comprehensive overview of the entity's information security capabilities and identify any gaps or weaknesses that need to be addressed.

Through systematic testing and auditing activities, entities can demonstrate their commitment to information security and ensure compliance with CPS 234. It enables them to identify and mitigate risks, strengthen their security controls, and protect sensitive information assets effectively.

Security policy framework

To comply with CPS 234, entities are required to establish and maintain an information security policy framework that is commensurate with their vulnerabilities and threats. This policy framework serves as a guiding document that outlines the entity's approach to information security and provides directions for maintaining the confidentiality, integrity, and availability of sensitive information assets.

The security policy framework should clearly define the responsibilities of all parties involved in maintaining information security, including internal teams and third parties. It should outline the roles and responsibilities of senior management, IT teams, and employees in ensuring the ongoing effectiveness of information security controls.

Additionally, the framework should address the specific vulnerabilities and threats faced by the entity. This includes identifying potential security incidents and providing guidance on their detection, response, and resolution. By aligning the framework with the entity's unique risk profile, the entity can tailor its security policies and controls to effectively mitigate the identified risks.

A robust security policy framework not only helps entities comply with CPS 234 but also ensures a proactive approach to information security. By establishing clear responsibilities and guidelines, entities can better protect themselves from security vulnerabilities and demonstrate their commitment to safeguarding sensitive information assets.

Robust mechanisms for identifying and responding to security incidents

Robust mechanisms for identifying and responding to security incidents are essential for Apra-regulated entities to ensure the ongoing security of their information assets. A proactive approach to incident detection and response is crucial in today's rapidly evolving threat landscape.

The first component of a robust incident response mechanism is incident detection. This involves implementing security controls and monitoring systems to identify any unusual or suspicious activities that could indicate a potential security incident. Regular and systematic testing should be conducted to ensure the effectiveness of these controls and to identify any security control weaknesses.

Once a security incident has been detected, prompt incident recovery is key. This involves taking immediate action to mitigate the impact of the incident and restore the affected systems and data. It also includes investigating the root cause of the incident to prevent similar incidents from occurring in the future.

Furthermore, robust incident response mechanisms require timely incident notification and communication. Internal teams, senior management, and external stakeholders should be informed about the incident in a clear and concise manner. This facilitates a swift and coordinated response to the incident, minimizing its impact and ensuring the necessary actions are taken to protect sensitive information assets.

Regulated entities should also implement key measures such as security investigations, evidence preservation, and forensic analysis as part of their incident response processes. These measures help in determining the scope and nature of the incident, gathering evidence for compliance and legal purposes, and identifying any potential security vulnerabilities that may have been exploited.

Sensitive information assets protection

To protect sensitive information assets in compliance with CPS 234, there are several steps that need to be followed.

The first step is to properly identify and classify critical and sensitive information assets. This involves understanding the nature of the information being handled, determining its criticality and sensitivity, and assessing the potential risks associated with its compromise. Factors such as the value of the information, its impact on the business operations, and the legal and regulatory requirements should be considered when classifying information assets.

Once the critical and sensitive information assets have been identified and classified, appropriate security controls and measures should be implemented to protect them. This can include encryption, access controls, user authentication, data backup and recovery processes, and regular system monitoring. These controls should be aligned with the security policies and requirements outlined in CPS 234.

It is important to note that non-sensitive and non-critical information assets can still have an impact on critical and sensitive ones. For example, a vulnerability or compromise in a non-sensitive system can be exploited to gain access to sensitive systems or data. Therefore, it is crucial to ensure that all information assets, both sensitive and non-sensitive, are adequately protected and monitored.

By following the guidelines and requirements of CPS 234, organizations can effectively protect their sensitive information assets and minimize the risk of security incidents. Ongoing monitoring, periodic testing, and continuous improvement are essential to ensure compliance and maintain a strong security posture.

Implementing the requirements of CPS 234

Implementing the requirements of CPS 234 involves a systematic and comprehensive approach to ensure the security and protection of critical and sensitive information assets. This requires identifying and classifying these assets, implementing appropriate security controls and measures, and ensuring the ongoing effectiveness of these measures. It is essential to understand the potential risks associated with the compromise of these assets and align the security controls with the requirements outlined in CPS 234. Additionally, it is crucial to recognize that non-sensitive and non-critical information assets can still pose a risk to sensitive ones, necessitating the need for comprehensive protection and monitoring across all information assets. By diligently following the guidelines and implementing robust security measures, organizations can ensure their compliance with CPS 234 and enhance their overall security posture.

Document security policies and procedures in line with CPS 234 requirements

To comply with CPS 234, APRA-regulated entities need to document and maintain their security policies and procedures in line with the requirements set out by the Australian Prudential Regulation Authority (APRA). This is crucial in ensuring that their security capabilities are commensurate with the size and complexity of their operations.

Creating and maintaining an information security policy framework is a key component of complying with CPS 234. This framework should outline the entity's overall approach to managing information security risks and should be structured in a hierarchical manner. The policy hierarchy should include an overarching information security policy that sets the high-level objectives and principles, followed by supporting policies and procedures that address specific areas such as access control, incident response, and third-party vendor management.

Common areas that should be addressed within the information security policy framework include governance and accountability, risk management, access controls, incident management, and ongoing monitoring and reporting. These policies and procedures should be regularly reviewed and updated to ensure their ongoing effectiveness in addressing the ever-changing threat landscape.

Periodically evaluating and adjusting the information security policy framework is of utmost importance. This ensures that any changes within the entity's business environment, emerging security vulnerabilities, or material information security incidents are adequately addressed. Entities should conduct systematic testing and robust mechanisms to validate the security control assurance, as well as engaging independent specialists to assess the security control weakness and provide recommendations for improvement.

Establish robust internal audit function for regular systematic testing

Establishing a robust internal audit function is crucial for regular systematic testing to ensure compliance with CPS 234. This function plays a key role in providing information security control assurance for apra-regulated entities.

To establish such a function, the entity should have skilled personnel dedicated to performing internal audit activities specifically related to information security. These personnel should possess the necessary expertise and knowledge to assess the effectiveness and adequacy of the entity's information security controls.

In addition to evaluating internal controls, the internal audit function should also assess the information security control assurance provided by related parties or third-party vendors. This assessment is important to identify any potential deficiencies or lack of assurance in the entity's information security.

If deficiencies or lack of assurance are detected, the entity should have a process in place to address them promptly. This may involve taking corrective actions, implementing additional controls, or reevaluating the engagement with related parties or third-party vendors.

Regular systematic testing should be conducted by the internal audit function to validate the effectiveness and efficiency of information security controls. This testing should cover various areas, including access controls, incident management, risk management, and ongoing monitoring.

By establishing a robust internal audit function and conducting regular systematic testing, entities can ensure their compliance with CPS 234 and enhance their information security capabilities.

Reporting requirements of CPS 234

Under CPS 234, APRAs-regulated entities are required to establish a robust framework for reporting incidents and ensuring timely access to information. This includes having appropriate policies and procedures in place to guide incident reporting and response, as well as mechanisms for communicating and escalating incidents to senior management and the Australian Prudential Regulation Authority (APRA).

Entities must also have incident response plans that outline the steps to be taken in the event of a cyber incident. These plans should detail the roles and responsibilities of key personnel, the processes for assessing and mitigating the incident, and the criteria for determining when to notify APRA.

In addition to reporting actual incidents, entities are also required to report potential security incidents. This includes situations where there is a reasonable belief that a security event could occur, even if it has not yet happened. Timely reporting of potential incidents is crucial for proactively managing and mitigating risks.

Entities must ensure that the reporting process is well-documented, transparent, and accountable. This includes keeping records of reported incidents, actions taken, and any follow-up measures implemented. The information provided in these reports should be accurate, concise, and provide a clear understanding of the incident and its impact on the entity's operations.

By complying with these reporting requirements, APRAs-regulated entities can effectively monitor and manage information security incidents, ensuring the ongoing effectiveness of their security controls and the protection of sensitive information assets.

Notifying material information security incidents to APRA within business days

Under CPS 234, APRAs-regulated entities are required to promptly notify APRA of material information security incidents within specified timeframes. The notification process ensures that APRA is informed about incidents that could have a substantial impact on the interests of customers.

Entities must notify APRA within 72 hours of becoming aware of a security incident that could have a substantial impact on the interests of customers. This includes incidents such as data breaches or cyberattacks that may compromise sensitive information assets or disrupt the entity's operations.

Additionally, if an entity identifies a control weakness that cannot be promptly remedied, they must notify APRA within 10 business days. This allows APRA to assess and address any potential security vulnerabilities or gaps in the entity's security capabilities.

The notification process is crucial for maintaining transparency and accountability in the financial sector. It ensures that APRA is aware of significant security incidents and control weaknesses, enabling them to take appropriate actions to protect the interests of customers and ensure the sound operation of the entity.

Entities are required to have robust mechanisms and processes in place to enable timely and accurate notifications to APRA. This includes establishing clear reporting lines and responsibilities, maintaining comprehensive incident response plans, and conducting systematic testing and assurance of their security control framework.

By adhering to the notification requirements, entities demonstrate their commitment to addressing and mitigating security risks, and contribute to the overall resilience of the financial sector.

Conclusion

The key principles and requirements outlined in CPS 234 include timely notification of security incidents to APRA, addressing control weaknesses promptly, and establishing robust mechanisms and processes for incident response. These measures aim to enhance the security capabilities of entities and maintain the sound operation of the financial sector.

Adopting strong security measures and practices is crucial in safeguarding sensitive financial data. With the increasing sophistication of cyber threats, entities must prioritize implementing comprehensive security policies, conducting systematic testing and assurance, and maintaining clear reporting lines and responsibilities. By doing so, they can enhance their security control framework, mitigate potential security vulnerabilities, and protect the interests of customers.

General thought leadership and news

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

In an era where digital threats loom larger by the day, the intersection of compliance and cybersecurity has never been more critical. For businesses...

AI Hype and GRC

Beyond the AI Hype: Crafting GRC Solutions That Truly Matter

In the relentless chase for innovation, it's easy to get caught in the dazzling allure of AI. Everywhere you turn, AI seems to be the silver bullet,...

Reflections from my time as Chief Digital Officer at KPMG

Reflections from my time as Chief Digital Officer at KPMG

Between 2016 and 2018 I held the role of Chief Digital Officer at KPMG, responsible for strategy and the development of software assets to underpin...

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

Summary 6clicks, a cyber governance, risk, and compliance (GRC) platform, has partnered with Microsoft to offer a privately hosted option of its...

6clicks Fabric - Hosted on private Microsoft Azure clouds

Empowering enterprises: Get in control with your own GRC SaaS platform-in-a-box

In today's dynamic business landscape, enterprises are constantly seeking innovative solutions to streamline their operations, improve the value they...

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

Robust cybersecurity measures and the effective and safe implementation of IT infrastructure are critical for organizations to successfully do...