Prudential Standard CPS 234

On 8 March 2018, the Australian Prudential Regulation Authority (APRA) released a draft standard Prudential Standard CPS 234 – Information Security.

This comes as news surfaces around more SWIFT attacks last month which targeted an Indian Bank in an attempt to steal US$1.8million.

APRA has stated that information security attacks are becoming increasingly frequent in sophistication and impact, with perpetrators continuously refining their efforts to compromise systems, networks and information worldwide. With results from two of APRA’s cyber surveys as evidence to support this.

That said, both the APRA discussion paper and ACSC Threat Report 2017 indicate that cyber criminals have yet to severely affect Australian institutions.

This APRA standard is part of the proposal to implement an industry wide framework for information security management, to drive ongoing vigilance, investment and improvement. The standard aims to ensure that Australian institutions’ cyber security maturity continues to develop in line with the
sophistication of cyber attackers.

The key to this proposal is that APRA promotes “soundness in business behaviour and risk management” and “expects those entities to ensure the security of all customer data”.  

APRA’s information security objective is to achieve a balance of the above objectives in order to achieve financial system stability for Australia. Entities must have adequate measures in place to protect customer information and be resilient against potential cyber-attacks.

The draft Prudential Standard covers the following key control areas:

  • Roles and responsibilities
  • Information security capability and policy framework
  • Information assets and controls, including incident management
  • Testing and internal audit
  • APRA notification

This approach follows well established security frameworks, using a risk based management that includes insider and external threats, whether they are malicious or accidental, and forms the broader APRA project to update its framework.

The draft Prudential Standard also requires an entity to implement information security controls over its information assets, whether or not the entity outsources its material business activities. 

Key facts

1. Applies to APRA regulated entities:

  • Banks
  • Building societies
  • Credit unions
  • Friendly societies
  • General insurance and reinsurance companies
  • Life insurance
  • Private health insurers
  • Most members of the superannuation industry

2. Boards are ultimately responsible for information security - “The Board of an APRA regulated entity is ultimately responsible for ensuring that the entity maintains its information security.”

3. Defined information security roles and responsibilities at board level, senior management, governing bodies and individuals. For example, the “Banking Executive Accountability Regime (BEAR) requires an Authorised Deposit-taking Institution (ADI) to nominate a senior executive with responsibility for ‘information management, including information technology systems for the ADI’”

4. Ongoing risk based approach and management – Identification of information threats, technical and procedural vulnerabilities, and understanding on how risks can impact the digital ecosystem, including that of third party security governance.

5. Information security incident reporting – Along with the mandatory data breach notification to the Office of Australia Information Commission, incidents are to be reported to APRA. Further, entities are to confirm annually that their incident response plans are effective.

What is APRA doing next?

APRA will review the CPS 234 based on identified issues from the supervisory activities and the results of cyber security surveys. Once the final version of the Prudential Standard is released, APRA intends to consult on revised guidance and seek industry views on topics that would assist in understanding and implementation.

APRA is inviting submissions by 7 June 2018 on the information security proposals as set out in its discussion paper, where the CPS 234 will be released in quarter 4, 2018, coming into effect on 1 July 2019.

What action do I take?

Initially, take time to read the Prudential Standard and the supporting Discussion Paper (“Discussion Paper – Information security management: A new cross-industry prudential standard, 7 March 2018”). Ensure you understand its requirements and check if your information security governance framework achieves what it is required. The Prudential Standard comes into effect on the 1 July 2019, providing ample time to assess current controls, identify remediation and meet its objectives within the next 18 months.

The focus of the Prudential Standard is the protection of information. Information and/or data comes from many channels and is stored throughout your environment as either a hard or soft copy. Understanding where your data is located, how and why it is processed along with who is accessing it is vital in order to apply good information security governance.

More importantly, understanding the threats and vulnerabilities of your digital ecosystem will greatly enable you to apply the correct technical and procedural controls.

Such controls should align to:

  • Confidentiality – Restricting access to that which has been authorised
  • Integrity – The characteristics of completeness, accuracy and freedom from unauthorised change or usage
  • Availability – Accessibility and usability when required

How can NCC Group help?

NCC Group is uniquely placed to help you meet the Prudential Standard. NCC Group is a global cyber security expert, with over 2000 specialist consultants that provide information assurance to a variety of sectors. Our consultants come from a breadth of backgrounds, with expertise in sectors such as finance, helping many financial organisations to achieve a mature and robust security profile.

NCC Group's services include:

 Centre for Evolved Next   Generation Threat Assurance   (CENTA)
  • Global cyber advisory practice for regulated industries
  • Assessment provides a high level view of an organisations capability, between current and future security state
  • Set in the context of the constantly evolving threat landscape
  • Helps the board to decide what requires investment and effort based as a priority
 Cyber Security Review
  • Review of NIST Cyber Security Framework (covering the 5 principle of Identify, Protect, Detect, Respond and Recover) controls
  • Asset threat and risk analysis
  • Remediation roadmap
 Data Discovery
  • Identification of data in use, its use and its criticality and sensitivity to the organisation
  • Data flow identification and mapping
 Incident Response
  • Incident response planning covering the following phases;   protect, identify, contain, eradicate, recovery and learn
  • Development of tailored policies and procedures
  • Incident response playbook/run book testing 
  • Cyber Incident Response
  • Retained Incident Response
  • Digital Forensics and Malware Analysis
  • Network Threat Assessments and Monitoring
 ISO27001:2013
  • Certification readiness assessment
  • Control gap assessment
  • Policy packs (includes information classification and handling procedures)
  • ISO27001:2013 audits
 Data Privacy
  • GDPR health checks
  • VPDSF health checks
  • Australian Privacy Mandatory Data Breach Notification plans
 Threat Intelligence
  • Threat Intelligence
  • InTELL – Global criminal activity tracking
  • Domain Intelligence
 Penetration Testing & Security   Assessments
  • Threat Mapping and Threat Risk Assessments
  • Penetration Testing – External, internal, WiFi networks etc.
  • Web and Mobile Application Testing
  • Secure Code Reviews
  • Targeted Penetration Testing/Simulated Attacks
  • Full Spectrum Attack Simulations - Red Team, Black Team, Purple Team and Gold Team engagements
  • Regulatory driven CBEST, TIBER and iCAST simulations
 Supplier Assured
  •  Review information, technical and procedural security controls
 Risk Management
  • Information risks assessments based on ISO31000
  • Technical risk assessments based on technical standards (e.g. OWASP)
 Vulnerability Discovery &   Management
  • Network Vulnerability and ASV Scanning
  • Web Application Scanning
  • Secure Internal Scanning
  • DDoS Assured
 Managed Detection &   Response/Security Monitoring
  • Network Security Monitoring and advanced SIEM analytics
  • Network Threat Monitoring

Published date:  16 March 2018

Written by:  Joss Howard

comments powered by Disqus

Filter By Service

Filter By Date