What are the Information Security Requirements of CPS 234?

The Prudential Standard CPS 234 sets out a strict and comprehensive series of requirements that businesses should meet to protect themselves against information security threats. It applies to all entities regulated by the Australian Prudential Regulation Authority (APRA). It is essential that all Australian organizations learn about the requirements of CPS 234 so they can ensure they comply with the standard.

Who Does CPS 234 Apply to?

CPS 234 applies to all APRA-regulated entities. That includes authorised deposit-taking institutions (ADIs), including foreign ADIs. Even non-operating holding companies are regulated by CPS 234.

CPS 234 also applies to general insurers, life companies, and private health insurers. This includes non-operating holding companies that are authorised under the Insurance Act or Life Insurance Act.

CPS 234 begins to apply to all these organisations on 1 July 2019. For APRA-regulated entities whose information assets are managed by third parties, CPS 234 applies from 1 July 2020, or from the next renewal date of the contract if that is earlier.

What are the Information Security Requirements From CPS 234?

CPS 234 requires the Board of every APRA-regulated entity to take responsibility for the organisation’s information security. In each case, the requirements are appropriate to the size of the organisation and the extent of the threats it faces.

It is important for any APRA-regulated entity to have an information security policy in place. That means having documentation that outlines the organisation’s processes and procedures for ensuring that data stays secure. These documents should define the responsibilities of various levels of the organisation, such as the senior management and the governing bodies. Everyone should know what their responsibilities are in light of data security.

Making Plans to Comply with CPS 234

Every organisation to which CPS applies must classify its information assets according to their sensitivity and criticality. When creating this classifcation, businesses must consider the effect that a breach of a particular information asset would have. Consider not only the effect on the organisation, but also on individual customers, depositors, policyholders and anyone else who might be affected.

Under the requirements of CPS 234, APRA-regulated entities must also ensure that any of their assets that are handled by third parties are also secure.

Responding to Security Incidents Under CPS 234

Even if businesses take care to protect the security of their data, breaches can still occur. If this happens, all APRA-regulated entities have a responsibility to identify and respond appropriately to security incidents. It is important to make a response plan that spells out how to manage a security incident.

What are the Testing Requirements of CPS 234?

Testing is another key part of complying with CPS 234. It is important for all APRA-regulated entities to test their security protocols thoroughly and regularly.

There is no defined frequency with which organisations must test their security plans. Instead, organisations must come up with their own testing schedules based on the rate at which the threats they face change, as well as the sensitivity of the assets they must protect.

How to Ensure CPS 234 Compliance

Ensuring CPS 234 compliance is essential for all APRA-regulated entities. However, it is not always obvious how to fulfil all the requirements. Compliance Council can help organisations across Australia to ensure they meet all the standards set out in CPS 234.