menu close
  • Back

Cybersecurity in financial services

The full cost of cybercrime in Australia is hard to quantify – not all breaches are notifiable – but it runs into billions of dollars in direct costs and lost productivity. Recent reports confirm that the financial services sector in Australia was the most targeted sector for cyber attacks. In fact, it accounted for 25% of all attacks. The average cost of a data breach in the sector was $5.5 million, and 40% of financial services businesses in Australia have experienced a cyber attack in the past year. The most common type of cyber attack in the sector is phishing, followed by ransomware and malware attacks. The most common targets for cyber attacks in the sector are customer data, financial data, and intellectual property.

Financial services need the confidence of knowing they’re complying with Australian Prudential Regulation Authority (APRA) regulations and guidance – both for compliance and to ensure protection against a growing cybercrime threat. Employing professional Cyber Security Services can greatly assist in this endeavor, offering specialized expertise and technologies to safeguard your digital assets.

About APRA

The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that oversees banking, insurance and superannuation institutions.

For businesses looking to navigate these complex compliance waters, Managed IT Services can offer a structured and comprehensive approach to ensure all technological aspects are in line with APRA regulations.

APRA issues and enforces a series of prudential security standards to ensure that, under all reasonable circumstances, financial promises are kept by regulated entities.

When APRA licences banking, insurance or superannuation businesses to operate, they become a prudently regulated entity: they must comply with standards like APRA Prudential Standard CPS 234 that APRA will supervise and enforce.

Proactive protection of digital information and assets is a social and financial imperative. To achieve this, APRA-regulated entities must meet minimum standards:

  • protect data from vulnerability and threats commensurate with data value
  • detect breaches swiftly and take action to minimise impact
  • respond effectively to incidents affecting information security
  • maintain assurance of information systems security through constant capability testing and auditing.

For those unsure of how to proceed, IT Consulting Services can provide targeted advice on achieving compliance while optimizing operational efficiency.

Beyond CPS 231 and CPS 232

CPS 234 goes beyond 231 and 232 and is specifically designed to address the information security of a company’s digital assets.

CPS 231 refers only to ‘appropriate due diligence, approval and ongoing monitoring’ of ‘outsourcing arrangements involving material business activities entered into by an APRA-regulated institution and a Head of a group’.

CPS 232 addresses some business continuity and risk management activities of APRA-regulated institutions.

About CPS 234

From 1 July 2020, all APRA-regulated entities must have, or have outsourced to a capable third party, information security systems to meet the requirements of CPS 234, the Prudential Standard for Information Security.

CPS 234 addresses information security capability and includes all information assets across business resources, skills and controls. It goes further to include third parties who provide information security services, and third parties who may access or use business information assets.

What are the key requirements of CPS 234?

An APRA-regulated entity must:

  • clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
  • maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
  • implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
  • notify APRA of material information security incidents.

Who is a financial entity under the authority of APRA?

A financial entity includes:

  • all banks and other authorised deposit-taking institutions
  • general insurers
  • wealth managers
  • financial advisers
  • life insurance companies
  • private health insurers
  • registrable superannuation entity (RSE) licensees.

Can third-parties still manage a regulated entity’s digital security?

Yes. The APRA regulated entity is still responsible for assessing the ongoing capabilities of the third party. They must also give special consideration for the potential consequences of an information security incident affecting the third party, and therefore their assets too.

The entity is also responsible for evaluation and approval of the design of particular controls used to protect digital assets.

What particular IT and ICT protection controls are required?

Every IT control system managed directly or via a third party must:

  • protect all information assets according to their vulnerabilities and current environmental threats as assessed by the Board/Company
  • detect and respond to any threat or incident quickly and appropriately, depending on the criticality and sensitivity of the data under threat
  • take action appropriate to the life cycle stage of the data asset. The stages can be anything from planning and design through to decommissioning and disposal
  • take action according to the potential consequences of a security incident with each asset.

How quickly must APRA be notified of a breach?

APRA must be notified about a breach of security as soon as possible – no more than 72 hours after becoming aware of an information security incident that has (or has the potential) to affect the entity or its stakeholders.

APRA also requires entities to notify them of any incident that has been notified to global regulatory bodies.

How quickly must APRA be notified of a system fault?

APRA must be notified of a system fault as soon as possible. This means no later than 10 days after the entity becomes aware of a weakness in information security control that cannot be quickly remediated.

What should internal audits cover?

Internal audits must cover as a minimum:

  • a review of the design and operational effectiveness of the controls, including those provided by a related or third party
  • a review of the skills and experience of all personnel involved in information security to assure appropriate management
  • a full review of the information security assurance provided by a related party or third party, where the entity is relying on that assurance, or where an incident could potentially affect the entity or its stakeholder’s interests. This applies to all the information assets managed by the third party, not just those assets related to your entity.

Get in touch

Talk to us today to optimise your operations.

Contact Us

6 Ways the right MSP helps you comply with CPS 234

#1 Defining roles and responsibilities

Under CPS 234, the Board is responsible for protecting company digital assets and information. They must ensure that information security is maintained in line with the size of the assets and threat profile, by maintaining resilience and the capability to maintain operations.

Your MSP can assist in clearly defining and communicating the roles and responsibilities within your organisation – including Board members, senior management, governing bodies, and individuals who play a role in information security.

#2 Develop and maintain a policy framework

Your MSP can support you to maintain a policy framework that demonstrates how you will establish and maintain systems that increase your business’s resilience to information security threats and incidents. You must also prove your business capability to respond swiftly and effectively to any breach from any source.

These frameworks must be scalable, appropriate to your threat exposure and data sensitivity – and your policy must clearly outline responsibilities for the maintenance of information security.

#3 Timely response to threats

As an APRA-regulated entity, get MSP support to create and maintain information security response plans to respond swiftly and vigorously to incidents. You must have processes in place to:

  • address and control every stage of an incident from first detection to review and improvement
  • escalate and report incidents to the Board, other bodies (like APRA) and IT security individuals
  • review (at least annually) plans for asset management to effectively address contemporary incident scenarios.

#4 Identify controls that match the context

Get support to put controls in place that are commensurate with:

  • vulnerabilities and threats to the information assets;
  • the criticality and sensitivity of the information assets;
  • the stage at which the information assets are within their life-cycle;9 and
  • the potential consequences of an information security incident.

#5 Testing

Every APRA-regulated entity must use a systematic regime to test the effectiveness of its information security controls. Your MSP stays across the types and frequency of testing, that must be changeable and scalable to:

  • the rate of change in threats and vulnerabilities
  • criticality and sensitivity of the entity’s assets
  • potential consequences of an incident involving any asset
  • the materiality and frequency of changes to information assets.

Look for a MSP who can deliver testing “conducted by independent specialists with commensurate skills and experience” at least once a year or when there is a ‘material change’ to the business environment or information assets.

#6 Internal Audit

CPS 234 mandates a minimum standard, Canon Business Services' (formerly Harbour IT) SIEM goes beyond, giving actionable information as needed, with auditable logs for every process. Embracing the principles of remote monitoring and management (RMM), our cloud services take a similar approach, with our development teams constantly monitoring and improving security controls as the cybercrime environment evolves.

Benefits of implementing CPS 234

Enhanced data security

CPS 234 requires organisations to implement a number of measures to protect their data from unauthorised access, use, disclosure, modification, or destruction. These measures can help to reduce the risk of data breaches and other security incidents.

Improved risk management

CPS 234 mandates regular risk assessments and the implementation of appropriate controls to manage identified risks. By complying with these requirements, organisations can proactively identify and address potential vulnerabilities, reducing the likelihood and impact of security incidents.

Increased trust from customers and stakeholders

Customers and stakeholders are increasingly concerned about the security of their data. By implementing CPS 234, organisations can demonstrate to their customers and stakeholders that they are taking information security seriously. This can help to build trust and confidence, which can lead to increased business opportunities.

Regulatory Compliance

CPS 234 is a mandatory requirement for APRA-regulated entities. By implementing CPS 234, organisations can help to ensure that they are in compliance with APRA's requirements, thereby avoiding regulatory penalties, reputational damage and legal consequences associated with non compliance.

Strengthened Business Resilience:

CPS 234 promotes the implementation of strategies and controls to ensure the resilience of critical information assets. This helps organisations identify vulnerabilities, prevent disruptions, and maintain continuity of operations even in the face of cyber threats or system failures.

Improved Incident Response:

CPS 234 mandates the establishment of an effective incident response framework. By complying with this requirement, organisations can detect and respond to security incidents promptly, minimising the impact of potential breaches and mitigating risks effectively.

Competitive Advantage:

Organisations that comply with CPS 234 differentiate themselves from their competitors by demonstrating their commitment to information security. This can be a valuable asset when attracting customers, partners, and investors who prioritise data protection and privacy.

Main challenges of implementing CPS 234

Organisational Alignment & commitment

Implementing CPS 234 often requires significant organizational changes and a cultural shift towards prioritizing information security. This may involve redefining roles and responsibilities, establishing new processes and procedures, and fostering a security-aware culture throughout the organization. Resistance to change and the need for employee training and awareness programs can pose challenges during implementation.

Complexity and Scope

CPS 234 covers a wide range of information security aspects, including risk assessment, incident response, access controls, and data encryption. Implementing these requirements across various systems, networks, and processes within an organization can be complex and challenging, particularly for larger institutions with diverse operations and legacy systems.

Aligning with existing frameworks

Many organisations already have information security frameworks in place, such as ISO 27001 or the National Institute of Standards and Technology (NIST) Cybersecurity Framework. These frameworks may overlap with CPS 234, and organisations need to make an informed decision about what frameworks that are committing to.

Managing third-party risks

Many organisations rely on third-party vendors to provide critical services. These vendors may have their own security vulnerabilities, which could pose a risk to the organisation. Adopting CPS 234 requires organisations need to have a process in place for reviewing and auditing 3rd party vendors in order to manage these risks.

Balancing security and usability

Security and usability are often seen as competing priorities. Organisations need to find a way to balance these two priorities, so that their security measures do not make it too difficult for users to access the information they need.

Resource Considerations

Compliance with CPS 234 can involve significant costs, including investments in technology, infrastructure, personnel, and ongoing maintenance. Smaller financial institutions or those with limited budgets may face challenges in allocating the necessary funds for compliance without compromising other operational priorities.

Interdepartmental Collaboration

Implementing CPS 234 often requires close collaboration and coordination between various departments within an organisation, such as IT, risk management, legal, and compliance. Ensuring effective communication and collaboration among these departments can be challenging, particularly in larger organisations with complex organisational structures.

Adapting to ever evolving cyber threats

The threat landscape is constantly evolving, and organisations need to be able to adapt their security measures accordingly. This can be a challenge, as it requires organisations to have a good understanding of the latest threats and how to mitigate them.

These are just some of the challenges that organisations face when implementing CPS 234. By understanding these challenges and finding the right MSP, organisations can better prepare themselves for the implementation process.

How Canon Business Services supports your CPS 234 compliance

We specialise in highly regulated industries where data protection is critical for a competitive edge. We’ve helped hundreds of organisations transition to secure, compliant IT environments, conforming with APRA, PCI DSS and ISO 27001 requirements and obligations.

Canon Business Services understands the changing nature of business continuity and the demands of balancing the latest technology with robust security standards. Our industry-leading platforms are ISO 27001 and PCI DSS certified, and APRA-aligned to provide you total peace of mind when reporting back to boards and regulators. Feel total confidence reporting back to boards and regulators.

Does your business need to step up or get a secure edge in the competitive financial services market?

Get proactive about CPS 234 compliance with Canon Business Services and contact us to discuss our Solutions for Financial Services.

Similar Articles


What are the advantages of Microsoft Azure

Discover the advantages of Microsoft Azure: Scalability, security, cost-efficiency, and innovation. Learn how Azure enhances operations and drives digital transformation in Australia.

What are the effective Azure cost optimisation strategies

Maximize Azure efficiency for your Autralian organisation. Reduce costs, optimize resources, and align spending with business goals using our expert strategies and tools!

What are the challenges of AI in financial services

Discover challenges of AI in finance, tackling bias, security, and integration for ethical, efficient financial services. Protect your business data with CBS Australia's expert insights now!

Guide to Cloud migration strategies

Unlock the power of Cloud migration with our guide. Discover benefits, strategies, and tools for a seamless transition to Cloud computing from CBS Australia.

What are the differences between Public, Private, & Hybrid Clouds

Learn about public, private, & hybrid cloud models with CBS Australia’s expert insights now!

The benefits of Microsoft 365

Unlock business potential with Microsoft 365 benefits – scalability, security, and seamless productivity tools for your Australian organisation.

A guide to Microsoft 365 security best practice

Secure Microsoft 365 effectively with best practices. From MFA to Secure Score, fortify your defenses against evolving cyber threats in Australia.

A comprehensive guide to Microsoft productivity tools

Unleash efficiency with Microsoft's powerful productivity tools - Power Automate, PowerApps, and more. Elevate collaboration for business productivity in Australia.

2024 technology trends: Opportunities abound

Learn about the 2024 tech trends for Australia. Grab the opportunities to boost efficiency, demand ROI, and prioritise customers.

Red and blue teams: The roles of cyber security teams

Discover the key roles and skills in effective cyber security teams in Australia. Learn how red and blue teams protect your digital assets.

A guide to creating a business continuity checklist

Learn the essentials, mitigate risks, and safeguard your Australian organisation's continuity with our comprehensive guide on business continuity checklists.

Why is penetration testing crucial for your cybersecurity

Wondering why penetration testing is important in Australian business? Learn the importance of penetration testing with CBS and secure your systems effectively.