APRA CPS 234: What Financial Institutions Need to Know Beyond the Basics

January 16, 2024

APRA Prudential Standard CPS 234 has been in effect since July 2019, and most regulated entities have long since completed their initial compliance gap assessments and policy updates. What many have discovered in the years since is that having the policies is a different matter from having the programme maturity that APRA expects to see when it reviews an entity's information security capability. The standard sets requirements in plain terms. The practice of meeting those requirements at a level that satisfies APRA examination is considerably more demanding.

APRA's approach to CPS 234 supervision has become more active. Entities that suffered incidents in recent years have faced scrutiny not just of their incident response but of the broader programme that should have prevented or detected the incident earlier. The standard's requirements around capability maintenance, testing, and third-party assurance are the areas where APRA has found the most material gaps in practice.

The Core Requirements and Where the Real Work Is

CPS 234 requires regulated entities to maintain information security capabilities commensurate with the size and extent of threats to their information assets, to implement controls to protect those assets, to test the effectiveness of controls, to notify APRA of material incidents within 72 hours, and to assess the information security capabilities of related parties and third parties that manage information assets on the entity's behalf. The requirements are not new. The depth of evidence required to substantiate compliance in an APRA review is what organisations often underestimate.

The phrase "commensurate with the size and extent of threats" is not self-defining. It requires the entity to have a current threat assessment, a view of its own information assets and their criticality, and a documented rationale for why the controls in place are appropriate to that threat and asset profile. Entities that respond to an APRA inquiry with a policy document and a control list, without the underlying analysis that connects them, are not demonstrating the capability the standard requires. They are demonstrating document management.

Third-Party Assurance: A Persistent Gap

Paragraph 36 of CPS 234 requires regulated entities to assess the information security capabilities of third parties that manage their information assets or that could adversely affect those assets. For most regulated entities, that includes cloud service providers, managed security service providers, payment processors, and a range of other service providers that have access to or custody of regulated data.

The practical requirement is a third-party assurance programme that identifies which third parties are in scope, defines the assurance method for each (which may include reviewing independent audit reports, right-to-audit clauses, or security questionnaire assessments depending on the criticality of the relationship), and documents the outcomes of those assessments. A list of vendors with self-assessed security ratings is not an assurance programme. An APRA-compliant programme tracks the scope of each third-party relationship, the information assets involved, the assurance method applied, the outcome, and the schedule for reassessment. Significant gaps in third-party assurance are among the most common findings in APRA reviews.

Testing: What APRA Expects Beyond Vulnerability Scanning

CPS 234 requires entities to test information security controls through a testing programme commensurate with the criticality and sensitivity of the information assets. For entities that manage material financial or personal data, that expectation extends well beyond annual vulnerability scanning. APRA has indicated in guidance that it expects testing to be systematic, risk-based, and to cover a range of control types including technical controls, people controls, and physical controls where relevant.

A mature testing programme typically includes vulnerability scanning on a defined schedule, penetration testing of external and internal surfaces, scenario-based testing of incident response and business continuity capabilities, social engineering assessments to test people controls, and control effectiveness testing as part of the internal audit programme. The outputs of that testing, including the findings, the remediation timelines, and the evidence of remediation completion, form part of the documentary record that APRA reviewers examine. Entities whose testing programme is primarily composed of annual penetration tests with high finding counts and slow remediation timelines are demonstrating a testing programme that is generating information but not driving improvements.

Notification Obligations and the 72-Hour Rule

CPS 234 requires APRA notification within 72 hours of becoming aware of an information security incident that has materially affected, or has the potential to materially affect, the entity or the interests of depositors, policyholders, beneficiaries, or other customers. The obligation applies to incidents affecting the entity's own environment and to incidents at third-party providers that manage information assets on the entity's behalf.

The 72-hour obligation creates a requirement for incident detection and classification capabilities that can identify a potentially notifiable incident early in the response lifecycle. Entities that lack clear criteria for what constitutes a notifiable incident, or whose incident response process does not include a notification decision point within the first few hours of an incident, are at risk of missing the window. Post-incident reviews by APRA have in some cases found that entities were aware of the circumstances of an incident considerably before the clock was started for notification purposes. Preparing for the notification obligation means building classification criteria into the incident response procedure, not interpreting them at the time of an incident. We work with APRA-regulated clients to build CPS 234 programmes that are designed to hold up under review, not just to satisfy a compliance checklist at a point in time.

To discuss your CPS 234 programme and where the gaps are most likely to be, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
GRC
Written by
Indra Gunawan
Head of Consulting
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?