APRA Finalizes CPS 234 to Help Combat Threat of Cyber Attacks

Where an APRA-regulated entity’s information assets are managed by a third party, the requirements in this Prudential Standard will apply in relation to those information assets from the earlier of the next renewal date of the contract with the third party or July 01, 2020. This prudential standard will apply to APRA-regulated entities, including authorized deposit-taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities (RSE licensees), and authorized or registered non-operating holding companies. CPS 234 requires APRA-regulated entities to:

• Clearly define information-security related roles and responsibilities
• Maintain an information security capability commensurate with the size and extent of threats to their information assets
• Implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls
• Promptly notify APRA of material information security incidents

APRA first released a discussion paper in March outlining the intended requirements of the new prudential standard. Industry was supportive of the intent and direction of CPS 234. APRA agreed to make several amendments, including clarifying requirements for information assets managed by third parties and modifying the timeframes for notifying APRA of information security incidents and material information security control weaknesses. To help entities fulfill their requirements, APRA will shortly update the Prudential Practice Guide CPG 234 on Management of Information and Information Technology. 

Related Links

• Media Release
• CPS 234 and Response Paper

Effective Date: July 01, 2019/July 01, 2020

Keywords: Asia Pacific, Australia, Banking, Insurance, CPS 234, Cyber Risk, Regtech, Prudential Standard, APRA