APRA's new CPS 234 - Effective 1 July 2019

November 15, 2018

APRA (the Australian Prudential Regulation Authority which ensures that regulated financial organisations in Australia comply with some of the most rigorous banking and financial regulations in the world) has finally released the much anticipated "CPS 234". Australian Banks, Building Societies, Credit Unions, Insurers and Super Trusts must now prepare for this new regulation which comes into effect on the 1st of July 2019.


A press release from APRA stated "APRA’s current guidance on managing information security was issued in 2010 through Prudential Practice Guide CPG 234 Management of security risk in information and information technology. However, developments in the way technology is used by financial institutions, including the increasing use of third party service providers, and the continuing threat from cyber-crime has escalated to the extent that a binding prudential standard is now warranted. The proposed new standard, CPS 234 with a view to implementation from 1 July 2019. The new standard will require regulated entities to:


  • clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;

  • maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity;

  • implement information security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls;

  • have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and

  • notify APRA quickly of material information security incidents.


Although APRA-regulated entities are generally well-placed to meet the requirements set out in CPS 234 given the prior guidance contained in CPG 234, APRA expects all entities will continue to need to improve their information security practices. By doing so, they will be better prepared to safeguard the confidentiality, integrity and availability of their data and systems, to enable their continued sound operation.


No matter how strong security measures are, however, APRA also recommends entities adopt an ‘assumed breach position’ – in essence, assuming that at some point their information security defences will be penetrated. This mindset encourages the development of robust incident management practices that help ensure any incident is detected swiftly and dealt with effectively, thereby minimising the financial and reputational damage to the entity."


The last paragraph is of particular interest and sets the tone for this new regulation. All APRA-regulated entities must be in a position to act very quickly in the event of a Data Breach. This has a GDPR flavored 72 hour window for data breach notification. The message is clear "have sound processes and practices in place to act when required" Remember the definition of a data breach in just about all regulations regardless of jurisdiction, is not just unauthorised access to systems, it extends to Availability of the systems that are relied upon. An unavailable system, in most cases constitutes a Notifiable Data Breach.


This new regulation comes to light on the back of a very busy time for all Australian owned entities with the introduction of the Data Breach Notification Scheme introduced by the Office of the Australian Information Commissioner (OAIC) on February 22nd and the introduction of the GDPR (EU) 2016/679 on the 25th of May.


This means that it has also been a very busy time for our Global Data Protection Management System (GDPMS) - GRC , which now includes these new APRA requirements in its core system offering. It already included the GDPR and the NDB Scheme in its growing list of legislation and regulation compliance now covering more than 160 regulators around the world for more than 81 countries. A growing list of regulations, legislation's and compliance requirements for a shrinking online world. 


Get your business up to speed with this one-stop International Standard compliant Governance Risk and Compliance (GRC) System. It handles all the Policies, Standards, Processes, Procedures, Work Instructions for your systems with beautifully written ISO documents. It comes complete with more than 85 Registers (against the ISO 27002 International Standard Controls) and a complete (ready to go) Information Security Management Framework (ISMF) which generates legal documents for Third-Party Management (including Recipients, Controllers and Processors) and has a comprehensive automated Task Review Scheduling system to assist with the most detailed and rigorous compliance against any legislation in the world. All of which delivers an outstanding Data Breach Notification and Information Security Risk Management system that is second to none, easy to use and globally distributed for a true multi-national experience.


Most importantly, this system is designed with commercial reality at its core. So rather than just a GRC, you get the worlds most comprehensive GRC that has built-in commercial reality designed to do business. Complete with employee Information Security training videos, tests and regular reviews. A turn-key solution to an ever increasing data privacy and protection problem.


Get in touch and book your free online Demonstration of the Global Data Protection Management System today.









Share on Facebook
Share on Twitter
Please reload

Featured Posts

Scholarships Now Open for July 2019

April 30, 2019

Please reload

Recent Posts