APRA Prudential Standard CPS 234: Are you compliant?

In 2023, APRA Chair John Lonsdale delivered a speech to the AFR Banking Summit in Sydney where he raised some interesting points around the results from the first tranche of results from the (Tripartite) reviews. He said analysis showed that entities have more work to do and that there is a need to continuously raise the bar on cyber preparedness and resilience across banking, insurance, and superannuation.

Australia’s financial safety regulator, Australian Prudential Regulation Authority (APRA), Prudential Standard CPS 234 took effect in July 2019.

CPS 234 applies to all regulated APRA entities which include banks, credit unions, building societies, general insurance and reinsurance companies, life insurers, private health insurers, friendly societies, and a large part of the superannuation industry.

It requires financial and insurance sector organisations to strengthen their information security framework and are taking the appropriate measures to be resilient against information security incidents (cyber attacks) by maintaining an information security capability commensurate with information security vulnerabilities and evolving threats.

New organisations to CPS 234, where do you begin?

Perhaps you are a Digital Bank, Neo Bank, or a newly founded deposit-taking institution (ADI). If you have recently fallen under the regulatory purview of APRA or are looking to ensure your compliance with APRA CPS 234, read on.

So, where should you begin?

A key objective is to build cyber resilience and minimise the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of information assets. That includes information assets managed by related parties or third parties.

The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity has appropriate information security. An APRA-regulated entity must:

• Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals.

• Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

• Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets and undertake systematic testing and assurance regarding the effectiveness of those controls.

• Notify APRA of material information security incidents.

Let’s break that down:

1. Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals.

Many organisations use our virtual Chief Information Security Officer (vCISO) and/or virtual Information Security Manager (vISM) services to help define related roles and responsibilities and uplift your policy and procedures in line with widely recognised frameworks for information security management e.g., ISO 27001 and NIST CSF.

Our vCISO and vISMs are perfect to augment positions in your organisation during rapid growth.

2. Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

NCC Group recommends starting with an information governance programme, including implementing information classification practices across your organisation to ensure information is protected in accordance with its classification. Experts like ours help develop and implement such practices, as well as frameworks and technologies to appropriately classify and label information. We can also advise and implement Data Loss Prevention (DLP) solutions as part of this programme.

NCC Group offers many information security capabilities as managed services that protect your information assets and maintain sound operations, including:

• Operational Risk Management services to provide a clear picture of the risks to your information assets and from the partners and third parties that process them.

• Managed Vulnerability Scanning Services use transparent and hands-on oversight to help fill gaps between manual penetration testing. We deliver hands-on rapid detection, monitoring, and remediation of internal and external system vulnerabilities.

• SOCs in the UK, Netherlands, and Australia to support and defend your organisation through security monitoring and hunt advanced attackers daily.

• Advanced detection and response solutions, such as Extended Detection and Response (XDR), to go beyond traditional endpoint detection and response (EDR) and network detection and response (NDR) solutions. XDR combines data from multiple security products and data sources, including EDR, NDR, cloud security, email security, and deceptive technology to provide a more comprehensive view of your security posture and detect threats across the entire attack surface.

3. Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls.

The NCC Group Professional Services team has over 700 security consultants and engineers that assess, implement, and provide the necessary assurance that controls are operating effectively.

NCC Group recommends that regulated entities understand their baseline security posture with a Cyber Security Review (CSR) to assess cyber security maturity against industry frameworks such as the NIST CSF.

NCC Group also offers Security Architecture Services (SAR) to implement ‘Security by Design’.

As a result of CSRs and SARs, NCC Group can provide standalone services to uplift your information security policy framework and security engineers to implement controls in accordance with the framework.

To protect information assets, it is important to understand the threats your organisation faces, NCC Group offers Threat Intelligence Services such as:

• Online Exposure Assessments
• Threat Landscape Assessments
• Threat & Attack Path Modelling

To implement systematic testing of information assets, NCC Group recommends Penetration Testing, Security Assessments, and Cyber Resilience Services. Just some of the areas we focus on include:

• Data and Application Security Testing Services
• Cloud and Infrastructure Security Testing Services
• Social Engineering Simulations
• Physical Security Review and Breach Assessments (Black Team Exercise)
• CORIE related:
  • Adversary Attack Simulation (Red Team Exercise)
  • Replay Attack Simulation (Purple Exercises)
  • Table Top Crisis Simulation (Gold Team Exercise)

4. Notify APRA of material information security incidents.

The faster your organisation can understand if a security event is an incident, the sooner you can contain and eradicate the threat. A well-defined incident response plan and capable resources are key to reducing the impact and meeting mandatory notification times.

NCC Group can help to ensure that incident response plans and playbooks are up-to-date and exercised. NCC Group offer Tabletop Crisis Simulations, where your responders, crisis management team, C-Suite, and Board will participate in an interactive table-top incident simulation to experience and improve their response and management capability.

When an incident is declared, many organisations do not have the capability or experience to perform a thorough investigation, consider an NCC Group Incident Response Retainer. Our Cyber Incident Response Teams (CIRT) are spread out around the world and depending on the retainer, can respond within an hour.