#

Back to Blog

APRA CPS 234 Information Security Guidance

by | Jul 18, 2019

Collaboration and Access Come with a Price

Digital transformation and collaboration tools have revolutionized how we use and share information. It’s easier than ever to share ideas, documents and pose questions to co-workers and third-party vendors. However, these advances in collaboration have also come with increased cyber threats, in particular for financial and insurance organizations, as the personal and financial information stored and collaborated on is a high value target for cybercriminals and malicious insiders alike.

While this is a global epidemic, Australia is extremely vulnerable. According the 2018 Asia Pacific Security Capabilities Benchmark Study, Australian organizations are dealing with more security alerts than their global and regional peers. 81% of Australian companies are facing more than 5,000 alerts per day, according to the study it’s by far the highest number in the Asia Pacific region.

To address these increasing risks, the Australian Prudential Regulation Authority (APRA) has created a new prudential standard for information security management “to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”

What is APRA CPS 234?

The key requirements of CPS 234 require that an APRA-regulated entity including: Banks, Credit unions, Building societies, Insurance and reinsurance companies, Private health insurers, Life insurance and members of the superannuation industry, must:

  • “Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
  • Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
  • Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
  • Notify APRA of material information security incidents.”

Who’s responsible and what needs to happen?

According to the regulation, the Board of an APRA-regulated entity is responsible for the information security of the entity. “It must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.”

Additionally, APRA-regulated organizations “must clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.”

CPS 234 clearly lays out what you need to do to comply in great detail. Here’s a quick summary of what’s required for compliance:

      1. For starter’s you need to ensure you have an information security policy framework that clearly defines the responsibilities of all parties who have an obligation to maintain information security of your organization (see the stakeholders mentioned above).
      2. Classify all your information assets, including those managed by related parties and third parties, by importance and sensitivity. You must consider the degree to which an information security incident affecting the individual asset has the potential to “affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers.”
      3. Information security controls must be in place to protect your information assets, including those managed by related parties and third parties. They must be implemented in a timely manner and be commensurate with vulnerability and sensitivity of the information, and potential impact of a breach.
      4. Be able to detect and respond to information security incidents in a timely manner.
      5. Test the effectiveness of your information security controls through a systematic testing program and perform them regularly as the threat landscape changes.
      6. Regularly perform internal audit activities including a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
      7. And if all else fails are you are breached, you must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident.

What should organizations do?

You’re probably asking yourself how can I take advantage of the benefits collaboration and pervasive access to information afforded, while maintaining compliance and avoiding compromise due to increased threat exposure?

While this may seem like a daunting task there are many solutions that can help you ensure APRA compliance and mitigate threats. A data-centric approach to managing compliance is a must to comply with APRA CPS 234. Data-centric tools apply the protection to the data itself as opposed to the application or container in which it currently resides.

It’s a much better fit for sensitive data like financial and insurance information governed by APRA CPS 234 that is in an almost constant state of motion across multiple collaboration scenarios. These intelligent security tools are both content and context aware, meaning:

  • They can automatically classify a document based on the level of sensitivity of its contents; and
  • Adapt security controls to the changing risk profile associated with the document as users access and collaborate across multiple locations, organizational and geographic boundaries, and devices.

Are you ready to defend and protect your data?

Protecting data governed under APRA CPR 234 is of utmost importance – not doing so will harm both your organization and your pocket. Beyond these starting points, APRA-regulated organizations should look for solutions that can provide data-centric auditing, classification and security controls to maintain compliance and mitigate threats.

Learn how NC Protect’s data-centric security capabilities can help you ensure compliance with APRA CPR 234 without sacrificing the advantages of collaboration.

Share This