What you need to know about APRA’s Prudential Standard CPS234 Information Security


Follow us on LinkedIn

6 Dec 2018
  • Compliance and Regulation
  • Technology and Cyber Risk

Who It Applies To

The Standard applies to all APRA regulated entities, which include authorised deposit-taking institutions, general insurers, parent entities of Level 2 insurance groups, life companies, private health insurers, and Registrable Superannuation Entity licensees under the Superannuation Industry (Supervision) Act 1993.

When It Applies From

The Standard comes into effect from 1 July 2019. Where an APRA regulated entity’s information assets are managed by a third party, then it will apply to those assets from the earlier of either the contract renewal date or 1 July 2020.

Why It’s Important

APRA regulated entities manage sensitive information assets. The Standard is aimed at minimising the likelihood and impact of information security incidents, inclusive of those that could occur with related or third parties.

What Processes Are Needed

Information security policy frameworks need to be matched to the threat landscape presented to be effective. This requires an information security focus within processes such as incident management, regulatory notifications and the identification, management and testing of controls.

How to Prepare

Key areas to review to prepare effectively for the Standard’s implementation are ensuring roles and responsibilities are clear, including those to be performed by the Board, and that systems and processes are in place to enable effective control management, control testing, incident management and regulatory notifications within stipulated timeframes.

What Capabilities Are Needed

Information security skill and knowledge is required at all levels, including within the Board and internal audit. It is critical that entities match and maintain their resources with the threat landscape that they face, including that related or third parties meet the required standards. This includes ensuring the appropriate capabilities for testing and audit are met.

What you need to know about APRA’s Prudential Standard CPS234 Information Security
Download the article

Let us tell you more

Risk management expectations are evolving rapidly. How well is your organisation equipped to respond?