APRA CPS 234 Penetration Testing Requirements: What Banks and Insurers Need to Know

July 16, 2024

APRA Prudential Standard CPS 234 Information Security has been in force for APRA-regulated entities since July 2019. It establishes requirements for information security capability, policy, incident response, and -- critically for this article -- the testing of controls. Many regulated entities have built compliance programmes around the standard, yet APRA's own supervisory findings, including the observations published following its CPS 234 thematic review, indicate that testing practices remain one of the most commonly deficient areas.

The testing requirements in CPS 234 are not prescriptive about methodology. The standard does not use the words "penetration test." What it requires is that entities test the effectiveness of their information security controls, with the nature and frequency of testing commensurate with the criticality of the assets being protected and the rate of change in the threat environment. For most regulated entities with internet-facing services, customer data, and interconnected technology platforms, this means penetration testing is the appropriate mechanism for meeting the testing obligation.

What CPS 234 Actually Requires on Testing

Paragraph 36 of CPS 234 requires that an APRA-regulated entity test the effectiveness of its information security controls through a systematic testing programme. The programme must be commensurate with the nature of threats to the entity's information assets. The frequency and rigour of testing must increase where information assets are more critical or where the threat environment has changed.

Paragraph 37 requires that the results of testing be notified to the board or board committee, to senior management, and to any related parties whose assets are affected. This notification requirement is significant. It means that testing is not simply an IT activity. The board is required to receive the results, which means they need to be in a form that a board can act on. A raw vulnerability scan output does not satisfy this. A penetration test report with an executive summary, a risk-rated finding list, and a clear remediation status satisfies it far better.

Where Regulated Entities Fall Short

APRA's supervisory observations have identified a number of recurring gaps in how regulated entities approach their testing programmes. The most common include:

  • Testing that covers only internet-facing systems, leaving internal network segments, privileged access pathways, and third-party connections untested
  • Annual testing cycles that do not account for significant changes to the technology environment -- a major cloud migration or a new customer-facing application deployed mid-year should trigger additional testing
  • Treating a vulnerability scan as equivalent to a test of control effectiveness, when a scan identifies the presence of weaknesses rather than demonstrating whether controls prevent exploitation
  • Finding remediation that is tracked informally, without evidence of re-testing to confirm the fix was effective
  • Board reporting on testing outcomes that summarises only the headline finding count without communicating residual risk or the status of open findings from prior cycles

A further gap is in third-party testing. CPS 234 extends information security obligations to related parties who manage information assets on behalf of the regulated entity. If a critical service provider -- a technology outsourcer, a cloud platform operator, a payment processor -- has not demonstrated that their controls have been tested, the regulated entity carries residual risk that its own testing programme does not address.

What a CPS 234-Aligned Testing Programme Looks Like

An information security testing programme that addresses CPS 234 requirements has several defining characteristics. It is risk-based, meaning the scope and frequency of testing reflects the criticality of the assets involved rather than treating all systems equally. It is evidenced, with documented scope agreements, reports that record what was tested and what was found, and records showing that findings were either remediated or formally risk-accepted.

It is also continuous in the sense that testing is not an annual event but a recurring activity that responds to change. When a new application is deployed, when a significant architectural change is made, or when a new threat actor technique becomes relevant to the entity's profile, the testing programme should respond. Annual testing is a floor, not a target.

Engaging APRA on Testing Deficiencies

When APRA identifies a deficiency in a regulated entity's testing programme through a supervisory review or a CPS 234 attestation process, the entity is required to remediate the deficiency within agreed timeframes and to notify APRA if a material information security control weakness is identified that has not been remediated within a defined period. A material weakness identified through testing that remains open and unremediated is a notifiable matter under paragraph 36A of the standard.

This means that conducting a thorough penetration test and receiving a significant finding creates an obligation. Receiving the finding is not the risk -- failing to remediate or escalate it in accordance with the standard is. Organisations that conduct penetration testing primarily to produce a document for auditors, without a genuine remediation process attached, are creating a compliance liability rather than reducing one.

To discuss APRA CPS 234 penetration testing requirements and how we support regulated entities, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Offensive Security
Written by
Shahbaz Rasheed
Managing Director
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?