Lloyd's MS11: Cyber Resilience and Data Management
APRA's mandatory information security regulation under Prudential Standard CPS 234 applies to all financial service institutions that are supervised by APRA. The main objective of CPS 234 is to minimise the likelihood and impact of incidents on confidentiality, integrity or availability of information and information systems. Importantly, this includes assets managed by related parties or third parties
5 Things to know about CPS 234:
1. CPS 234 commences on 1 July 2019. If your information assets are managed by a third party, the deadline for CPS 234 compliance is 1 July 2020.
2. Your information security policy framework must be proportionate to their exposure to threats. It must outline responsibilities of stakeholders who have responsibilities within that framework (including the Board, senior management, governing bodies and individuals).
3. Your organisation and IT providers must have information security controls to protect your information. These controls must contemplate an asset’s vulnerabilities and threats, criticality and sensitivity, and life-cycle stage, as well as the potential consequences of a cybersecurity incident. This extends to making similar assessments in relation to related / third parties that manage those assets.
4. You and your IT providers must carry out appropriate testing of the security controls protecting your data. Testing must be conducted by skilled and functionally independent specialists, with the testing program is to be reviewed annually or in response to material changes. You must also include a review of the design and effectiveness of security controls, including those of related/third parties, in their internal audit activities.
5. You must notify APRA as soon as possible after becoming aware of an information security incident that did, or had the potential to, materially affect stakeholders, or one that has been notified to other regulators.
How can CyberWorqs help
CyberWorqs will align CPS 234 with your overall Information Security Strategy, ensure you have good governance and communicating roles and responsibilities, identify and classify your Information assets, implement, test and monitor controls, and provide incident management and notification support.
We also assess your third party providers to ensure they are also aligned with the requirements under CPS 234