The role of the Australian Prudential Regulation Authority (APRA) has come into sharper focus in recent months. The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Sector – held throughout 2018, with the final report of Justice Hayne, its leader, recommending the biggest changes to Australian banks since deregulation in the 1980s – brought the role of Australia’s financial regulators into sharp focus.
While the Australian Securities and Investment Commission (ASIC) is often in the news thanks to a more consumer-facing role, the APRA – the body responsible for licensing and compliance – was more of a behind-the-scenes organization. Today, its role is undergoing intense scrutiny as it tries to prove it can hold the Australian financial services industry to account.
All of that means APRA-regulated entities need to take a closer look at APRA’s new prudential standard, if only because the Royal Commission means APRA’s teeth are sharper and scrutiny around compliance is more intense. With that, ladies and gentlemen, let us introduce APRA’s CPS 234.
CPS 234: Bringing Cybersecurity Into Focus for Financial Institutions
A new prudential standard that specifically defines information security controls for the management of secured assets, CPS 234 sets out basic requirements for regulated organizations. It brings to the forefront the importance of strong cybersecurity in the information age, aiming to minimize the likelihood of information security incidents on the confidentiality, integrity or availability of information assets, writes Tommy Viljoen for Deloitte. He reminds us that the Board of any APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.
CPS 234 has become necessary because of the constantly evolving cyber threat landscape of the digital age. Think about the common threats, things like payment and card fraud, mobile and app vulnerabilities, supply chain attacks and geo-positional hacking – all of these can particularly impact the financial services sector, which remains a top target for hackers and threat actors. Not having a robust cybersecurity policy and incident response plan leaves financial services organizations – and their customers – at risk of significant breaches.
A mandatory regulation, CPS 234 became effective on July 1, 2019, which means governance teams need to get their houses in order now, if they haven’t done so already. It largely reflects the previous practice guide CPG 234, although it has updated the guidelines and made obligations mandatory and enforceable – which also means organizations can now be held to account or face sanctions.
What Are the Regulatory Requirements of CPS 234?
In the Insider Threat Security Blog, Ryan Tully puts the requirements in layman’s terms:
- “Everyone needs to know exactly what their responsibilities are when it comes to securing data and infrastructure. These responsibilities need to be documented.”
- “There needs to be a plan in place to protect the data and infrastructure in the organization. The context and scope of this plan depends on the type of data in play, the risk of threat, the common threats they may undergo, or other factors that impact it. This won’t be a ‘one-size-fits-all’ approach to security.”
- “If there is a data breach or a similar event where information is compromised, APRA needs to be informed.”
In essence, this is fairly standard security practice; CPS 234 just puts best practice into a mandatory regulation and requires regulated entities to report on progress and breaches.
To comply with CPS 234, organizations should understand their assets and threats, and have a plan for managing asset protection.
But What Does All This Mean for Entity Management?
In short, APRA-regulated entities need to up their game when it comes to information security, ensuring they have:
- Built a framework and policies for cybersecurity.
- Understood organizational accountability and reporting.
- Identified and classified all information assets.
- Investigated and documented the security practices of any third party in their chain.
- Set up a process for systematic testing to ensure security remains up to date with the evolving threat landscape.
- Detailed internal audit processes.
- Implemented formal incident response plans, including how and when to notify APRA of breaches and incidents.
Entities must also have in place the ability and procedure for notifying APRA within 72 hours of becoming aware of an information security incident that did – or had the potential to – materially affect stakeholders, or they risk being in a state of non-compliance.
Having this important information security work now under a mandatory regime means that compliance, governance and legal operations teams need to be clear about what their organization’s internal processes are, where there may be gaps in the system, and have an incident response plan clearly documented and stored somewhere easily accessible in case of an emergency. They need to understand the threat, define controls and testing, and prepare and practice their response plan.
CPS 234 will hold the board accountable for information security and cyber incidents, so the board must be fully aware of their roles and responsibilities, as well as checking up on the responsibilities of those directly responsible for this all-important area. Organizations must know exactly what happens once the whistle is blown, and a governance framework must include clear steps to take.
Yes, it’s time for a process audit, some risk management brainstorming and a meeting of minds to generate the best CPS 234 compliance plan for your organization – and an education campaign to make sure everyone in the business, not just the board, knows their roles and responsibilities. Accidental incidents are still enforceable incidents.
Digitize and Automate Your Information Security Management to Ease the CPS 234 Compliance Burden
That audit, the systematic testing and the access to information all becomes much easier if that information is stored digitally in a central repository. Having a single source of truth for all entity-related information – whether it’s information about the directors, an organizational chart or more specific information relating to how the entity works with third parties – means that the legal operations team can swiftly and efficiently identify the process to follow when there is a cybersecurity breach.
Entity management software can be that secure single source of truth that helps keep your organization nimble and ready to jump into action, if required, and Diligent Entities goes one step further by integrating securely and seamlessly with Diligent Boards to create a secure Governance Cloud. The secure integration adds a layer of risk mitigation to the process, as any integration of disparate systems provides a potential door for cybersecurity threats to walk through.
Get in touch and schedule a demo to discover how Diligent Entities can help your CPS 234 compliance work by surfacing the right information to the right people at the right time, and enabling reporting on governance and compliance requirements using real-time data.