Prudential Standard CPS 234
On 8 March 2018, the Australian Prudential Regulation Authority (APRA) released a draft standard Prudential Standard CPS 234 – Information Security.
This comes as news surfaces around more SWIFT attacks last month which targeted an Indian Bank in an attempt to steal US$1.8million.
APRA has stated that information security attacks are becoming increasingly frequent in sophistication and impact, with perpetrators continuously refining their efforts to compromise systems, networks and information worldwide. With results from two of APRA’s cyber surveys as evidence to support this.
That said, both the APRA discussion paper and ACSC Threat Report 2017 indicate that cyber criminals have yet to severely affect Australian institutions.
This APRA standard is part of the proposal to implement an industry wide framework for information security management, to drive ongoing vigilance, investment and improvement. The standard aims to ensure that Australian institutions’ cyber security maturity continues to develop in line with the
sophistication of cyber attackers.
The key to this proposal is that APRA promotes “soundness in business behaviour and risk management” and “expects those entities to ensure the security of all customer data”.
APRA’s information security objective is to achieve a balance of the above objectives in order to achieve financial system stability for Australia. Entities must have adequate measures in place to protect customer information and be resilient against potential cyber-attacks.
The draft Prudential Standard covers the following key control areas:
- Roles and responsibilities
- Information security capability and policy framework
- Information assets and controls, including incident management
- Testing and internal audit
- APRA notification
This approach follows well established security frameworks, using a risk based management that includes insider and external threats, whether they are malicious or accidental, and forms the broader APRA project to update its framework.
The draft Prudential Standard also requires an entity to implement information security controls over its information assets, whether or not the entity outsources its material business activities.
1. Applies to APRA regulated entities:
- Building societies
- Credit unions
- Friendly societies
- General insurance and reinsurance companies
- Life insurance
- Private health insurers
- Most members of the superannuation industry
2. Boards are ultimately responsible for information security - “The Board of an APRA regulated entity is ultimately responsible for ensuring that the entity maintains its information security.”
3. Defined information security roles and responsibilities at board level, senior management, governing bodies and individuals. For example, the “Banking Executive Accountability Regime (BEAR) requires an Authorised Deposit-taking Institution (ADI) to nominate a senior executive with responsibility for ‘information management, including information technology systems for the ADI’”
4. Ongoing risk based approach and management – Identification of information threats, technical and procedural vulnerabilities, and understanding on how risks can impact the digital ecosystem, including that of third party security governance.
5. Information security incident reporting – Along with the mandatory data breach notification to the Office of Australia Information Commission, incidents are to be reported to APRA. Further, entities are to confirm annually that their incident response plans are effective.
What is APRA doing next?
APRA will review the CPS 234 based on identified issues from the supervisory activities and the results of cyber security surveys. Once the final version of the Prudential Standard is released, APRA intends to consult on revised guidance and seek industry views on topics that would assist in understanding and implementation.
APRA is inviting submissions by 7 June 2018 on the information security proposals as set out in its discussion paper, where the CPS 234 will be released in quarter 4, 2018, coming into effect on 1 July 2019.
What action do I take?
Initially, take time to read the Prudential Standard and the supporting Discussion Paper (“Discussion Paper – Information security management: A new cross-industry prudential standard, 7 March 2018”). Ensure you understand its requirements and check if your information security governance framework achieves what it is required. The Prudential Standard comes into effect on the 1 July 2019, providing ample time to assess current controls, identify remediation and meet its objectives within the next 18 months.
The focus of the Prudential Standard is the protection of information. Information and/or data comes from many channels and is stored throughout your environment as either a hard or soft copy. Understanding where your data is located, how and why it is processed along with who is accessing it is vital in order to apply good information security governance.
More importantly, understanding the threats and vulnerabilities of your digital ecosystem will greatly enable you to apply the correct technical and procedural controls.
Such controls should align to:
- Confidentiality – Restricting access to that which has been authorised
- Integrity – The characteristics of completeness, accuracy and freedom from unauthorised change or usage
- Availability – Accessibility and usability when required
How can NCC Group help?
NCC Group is uniquely placed to help you meet the Prudential Standard. NCC Group is a global cyber security expert, with over 2000 specialist consultants that provide information assurance to a variety of sectors. Our consultants come from a breadth of backgrounds, with expertise in sectors such as finance, helping many financial organisations to achieve a mature and robust security profile.
NCC Group's services include:
|Centre for Evolved Next Generation Threat Assurance (CENTA)||
|Cyber Security Review||
|Penetration Testing & Security Assessments||
|Vulnerability Discovery & Management||
|Managed Detection & Response/Security Monitoring||
Published date:  16 March 2018
Written by:  Joss Howard