The full cost of cybercrime in Australia is hard to quantify – not all breaches are notifiable – but it runs into billions of dollars in direct costs and lost productivity. Recent reports confirm that the financial services sector in Australia was the most targeted sector for cyber attacks. In fact, it accounted for 25% of all attacks. The average cost of a data breach in the sector was $5.5 million, and 40% of financial services businesses in Australia have experienced a cyber attack in the past year. The most common type of cyber attack in the sector is phishing, followed by ransomware and malware attacks. The most common targets for cyber attacks in the sector are customer data, financial data, and intellectual property.
Financial services need the confidence of knowing they’re complying with Australian Prudential Regulation Authority (APRA) regulations and guidance – both for compliance and to ensure protection against a growing cybercrime threat. Employing professional Cyber Security Services can greatly assist in this endeavor, offering specialized expertise and technologies to safeguard your digital assets.
The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that oversees banking, insurance and superannuation institutions.
For businesses looking to navigate these complex compliance waters, Managed IT Services can offer a structured and comprehensive approach to ensure all technological aspects are in line with APRA regulations.
APRA issues and enforces a series of prudential security standards to ensure that, under all reasonable circumstances, financial promises are kept by regulated entities.
When APRA licences banking, insurance or superannuation businesses to operate, they become a prudently regulated entity: they must comply with standards like APRA Prudential Standard CPS 234 that APRA will supervise and enforce.
Proactive protection of digital information and assets is a social and financial imperative. To achieve this, APRA-regulated entities must meet minimum standards:
For those unsure of how to proceed, IT Consulting Services can provide targeted advice on achieving compliance while optimizing operational efficiency.
CPS 234 goes beyond 231 and 232 and is specifically designed to address the information security of a company’s digital assets.
CPS 231 refers only to ‘appropriate due diligence, approval and ongoing monitoring’ of ‘outsourcing arrangements involving material business activities entered into by an APRA-regulated institution and a Head of a group’.
CPS 232 addresses some business continuity and risk management activities of APRA-regulated institutions.
From 1 July 2020, all APRA-regulated entities must have, or have outsourced to a capable third party, information security systems to meet the requirements of CPS 234, the Prudential Standard for Information Security.
CPS 234 addresses information security capability and includes all information assets across business resources, skills and controls. It goes further to include third parties who provide information security services, and third parties who may access or use business information assets.
An APRA-regulated entity must:
A financial entity includes:
Yes. The APRA regulated entity is still responsible for assessing the ongoing capabilities of the third party. They must also give special consideration for the potential consequences of an information security incident affecting the third party, and therefore their assets too.
The entity is also responsible for evaluation and approval of the design of particular controls used to protect digital assets.
Every IT control system managed directly or via a third party must:
APRA must be notified about a breach of security as soon as possible – no more than 72 hours after becoming aware of an information security incident that has (or has the potential) to affect the entity or its stakeholders.
APRA also requires entities to notify them of any incident that has been notified to global regulatory bodies.
APRA must be notified of a system fault as soon as possible. This means no later than 10 days after the entity becomes aware of a weakness in information security control that cannot be quickly remediated.
Internal audits must cover as a minimum:
Under CPS 234, the Board is responsible for protecting company digital assets and information. They must ensure that information security is maintained in line with the size of the assets and threat profile, by maintaining resilience and the capability to maintain operations.
Your MSP can assist in clearly defining and communicating the roles and responsibilities within your organisation – including Board members, senior management, governing bodies, and individuals who play a role in information security.
Your MSP can support you to maintain a policy framework that demonstrates how you will establish and maintain systems that increase your business’s resilience to information security threats and incidents. You must also prove your business capability to respond swiftly and effectively to any breach from any source.
These frameworks must be scalable, appropriate to your threat exposure and data sensitivity – and your policy must clearly outline responsibilities for the maintenance of information security.
As an APRA-regulated entity, get MSP support to create and maintain information security response plans to respond swiftly and vigorously to incidents. You must have processes in place to:
Get support to put controls in place that are commensurate with:
Every APRA-regulated entity must use a systematic regime to test the effectiveness of its information security controls. Your MSP stays across the types and frequency of testing, that must be changeable and scalable to:
Look for a MSP who can deliver testing “conducted by independent specialists with commensurate skills and experience” at least once a year or when there is a ‘material change’ to the business environment or information assets.
CPS 234 mandates a minimum standard, Canon Business Services' (formerly Harbour IT) SIEM goes beyond, giving actionable information as needed, with auditable logs for every process. Our cloud services take a similar approach, with our development teams constantly monitoring and improving security controls as the cybercrime environment evolves.
CPS 234 requires organisations to implement a number of measures to protect their data from unauthorised access, use, disclosure, modification, or destruction. These measures can help to reduce the risk of data breaches and other security incidents.
CPS 234 mandates regular risk assessments and the implementation of appropriate controls to manage identified risks. By complying with these requirements, organisations can proactively identify and address potential vulnerabilities, reducing the likelihood and impact of security incidents.
Customers and stakeholders are increasingly concerned about the security of their data. By implementing CPS 234, organisations can demonstrate to their customers and stakeholders that they are taking information security seriously. This can help to build trust and confidence, which can lead to increased business opportunities.
CPS 234 is a mandatory requirement for APRA-regulated entities. By implementing CPS 234, organisations can help to ensure that they are in compliance with APRA's requirements, thereby avoiding regulatory penalties, reputational damage and legal consequences associated with non compliance.
CPS 234 promotes the implementation of strategies and controls to ensure the resilience of critical information assets. This helps organisations identify vulnerabilities, prevent disruptions, and maintain continuity of operations even in the face of cyber threats or system failures.
CPS 234 mandates the establishment of an effective incident response framework. By complying with this requirement, organisations can detect and respond to security incidents promptly, minimising the impact of potential breaches and mitigating risks effectively.
Organisations that comply with CPS 234 differentiate themselves from their competitors by demonstrating their commitment to information security. This can be a valuable asset when attracting customers, partners, and investors who prioritise data protection and privacy.
Implementing CPS 234 often requires significant organizational changes and a cultural shift towards prioritizing information security. This may involve redefining roles and responsibilities, establishing new processes and procedures, and fostering a security-aware culture throughout the organization. Resistance to change and the need for employee training and awareness programs can pose challenges during implementation.
CPS 234 covers a wide range of information security aspects, including risk assessment, incident response, access controls, and data encryption. Implementing these requirements across various systems, networks, and processes within an organization can be complex and challenging, particularly for larger institutions with diverse operations and legacy systems.
Many organisations already have information security frameworks in place, such as ISO 27001 or the National Institute of Standards and Technology (NIST) Cybersecurity Framework. These frameworks may overlap with CPS 234, and organisations need to make an informed decision about what frameworks that are committing to.
Many organisations rely on third-party vendors to provide critical services. These vendors may have their own security vulnerabilities, which could pose a risk to the organisation. Adopting CPS 234 requires organisations need to have a process in place for reviewing and auditing 3rd party vendors in order to manage these risks.
Security and usability are often seen as competing priorities. Organisations need to find a way to balance these two priorities, so that their security measures do not make it too difficult for users to access the information they need.
Compliance with CPS 234 can involve significant costs, including investments in technology, infrastructure, personnel, and ongoing maintenance. Smaller financial institutions or those with limited budgets may face challenges in allocating the necessary funds for compliance without compromising other operational priorities.
Implementing CPS 234 often requires close collaboration and coordination between various departments within an organisation, such as IT, risk management, legal, and compliance. Ensuring effective communication and collaboration among these departments can be challenging, particularly in larger organisations with complex organisational structures.
The threat landscape is constantly evolving, and organisations need to be able to adapt their security measures accordingly. This can be a challenge, as it requires organisations to have a good understanding of the latest threats and how to mitigate them.
These are just some of the challenges that organisations face when implementing CPS 234. By understanding these challenges and finding the right MSP, organisations can better prepare themselves for the implementation process.
We specialise in highly regulated industries where data protection is critical for a competitive edge. We’ve helped hundreds of organisations transition to secure, compliant IT environments, conforming with APRA, PCI DSS and ISO 27001 requirements and obligations.
Canon Business Services understands the changing nature of business continuity and the demands of balancing the latest technology with robust security standards. Our industry-leading platforms are ISO 27001 and PCI DSS certified, and APRA-aligned to provide you total peace of mind when reporting back to boards and regulators. Feel total confidence reporting back to boards and regulators.
Does your business need to step up or get a secure edge in the competitive financial services market?
Get proactive about CPS 234 compliance with Canon Business Services and contact us to discuss our Solutions for Financial Services.