Is your board aware of its cyber roles and responsibilities? APRA issued in July 2019 a new mandatory regulation, CPS 234

Is your board aware of its cyber roles and responsibilities? APRA issued in July 2019 a new mandatory regulation, CPS 234

APRA has issued a new mandatory regulation, CPS 234 which commenced on 1 July 2019. This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.

A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.

The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.

What is CPS 234?
CPS 234 is a mandatory regulation issued by the Australian Prudential Regulatory Authority (APRA) and commences on 1st of July 2019. It requires organisation to uplift their information security capabilities commensurate with the evolving size and extent of the threats to their assets.

Key capabilities to keep in mind for information security include:

Security Governance model
Skilled resources
Information security framework – which should include:
Controls to secure the organisation from information security threats
Controls which provide vigilant capability on the evolving threat intelligence and how it may impact an organisation
Controls which provide resiliency to recover from and minimize the impact of cyber incidents
CPS 234 requires uplift in 6 key domains of information security. These are:

1. Cyber Security Framework and organisational accountability and reporting. A robust framework and corresponding controls are required. Information security roles and responsibilities for the Board, senior management, governing bodies and individuals must be defined.
2. Information asset identification and classification.
Information assets must be classified according to their criticality (impact of loss of availability) and sensitivity (impact of loss of confidentiality and integrity).
3. Third party compliance. Extension of information security to third-parties to protect sensitive information is required.
4. Systematic assurance. APRA regulated entities must continually test their systems to ensure that their security capability is commensurate with the evolving threat landscape
5. Security incident response. Formal incident plans must ensure support for all incident cases and there is need to notify APRA of material information security incidents
6. Internal audit. The design and operating effectiveness of information security controls must be reviewed.

Talk to Securite about meeting your cyber risk obligations and board education.

Comments are closed.