Small-Ionize-Cyber-Security-Canberra-Tea
Glass Buildings

APRA CPS 234 Compliance

Go digital with confidence in financial services.

The financial services industry has driven the adoption of digital technology faster than any industry segment. This has enabled innovative customer experiences, the development of new products and services all while increasing transaction volumes at reduced costs.

 

However it's also created opportunity for cyber criminals to commit financial and identity theft - it's this risk that the Australian Prudential Regulatory Authority seeks to address with CPS 234

Who needs to comply?

CPS 234 applies to all APRA-regulated entities including:

  • Authorised deposit-taking institutions (ADIs). This includes foreign ADIs, credit unions, banks, and non-operating holding companies authorised under the Banking Act

  • General insurers, including Category C insurers, non-operating holding companies authorized under the Insurance Act, and parent entities of Level 2 insurance groups

  • Life companies, including friendly societies, eligible foreign life insurance companies and non-operating holding companies registered under the Life Insurance Act

  • Private health insurers registered under the PHIPS Act

  • General insurers

  • RSE licensees under the SIS Act in respect to their business operations

  • Superannuation funds

Importantly, for APRA regulated companies that utilise third-party services,  CPS 234 also apply to those information assets.

What are my responsibilities?

Whilst not an exhaustive list, broadly speaking CPS 234 requires APRA-regulated entities to:

  • Define information security-related roles and responsibilities of the Board, senior management, governing bodies &  individuals

  • Maintain an information security capability appropriate to the threat to its information assets, and which enables the continued operation of the entity

  • Implement controls to protect its information assets appropriate to the criticality & sensitivity of those assets, and to undertake ongoing testing and assurance regarding the effectiveness of those controls

  • Notify APRA of material information security incidents

 

These key requirements are then further broken down into eight broad categories:

  1. Information security capabilities

  2. Policy frameworks

  3. Information asset identification & classification

  4. Implementation of appropriate information security controls

  5. Security incident management

  6. Testing of the effectiveness of controls

  7. Internal audits

  8. APRA notifications

Ionize has helped some of Australia's most trusted brands obtain and retain their CPS 234 requirements and our experience can help guide your business to a solution that's appropriate for your unique circumstances. 

Finally, even if you're not sure of your CPS 234 compliance requirements or status, there's no reason not to get started with good cyber hygiene. 

Ionize recommends every business implement basic cyber security best-practices;

  • ensure you're up-to-date with vendor supplied security patches for your devices and software to close off the well-known vectors for attacks

  • implement two-factor authentication services (2FA) to minimise the chances of stolen password attacks being successful

  • implement end-point device security protection such as anti-virus software to help harden the edges of your IT systems 

Finally, give us a call or reach out through our Chat facility on on our website - we're happy to help.