Skip to main content

In November 2020, APRA executive board identified that too many basic cyber security practices are missing across the industry especially at a time when threats were increasing exponentially.

While many banks, superannuation funds and insurers, as well as non-bank lenders and aggregators, have been working towards compliance since (Consolidated Prudential Standard) CPS 234 came into effect in 2019, it’s clear there’s more work to be done in the area of cybersecurity. 

APRA is now warning of action against those companies that don’t take rising security threats seriously and is beginning its next stage of enforcement against organisations that have not yet fully complied with CPS 234. As a result, APRA has initiated a Tripartite Review program to gauge the level of compliance with CPS 234, commencing with independent pilot assessments for selected regulated entities in the first half of 2021.

The review is part of a four-year strategy ‘Corporate Plan 2020-2024’. The purpose of this strategy is to increase the rigour of compliance of CPS 234: Information Security and require the Board of regulated entities to engage third party independent Auditors to undertake a thorough CPS 234 compliance audit with the results reported not only to the Board but also directly to APRA.

The strategy clearly states that the goal is:

  • improving and broadening risk-based supervision;
  • improving resolution capacity;
  • improving external engagement and collaboration; 
  • transforming data-enabled decision-making;
  • transforming leadership
  • culture and ways of working.

APRA has already performed a number of completed tripartite reviews and tripartite readiness reviews as part of the pilot series.

Early feedback from APRA’s tripartite reviews suggests that all Financial Services organisations should consider what an ongoing assurance roadmap for CPS 234 compliance will look like going forward for FY22 and beyond.

What shall be your focus?

  • Securing your supply chain
  • Putting your controls testing programs into practice
  • Identifying and classifying information assets

Organisations need to consider improving their CPS 234 compliance as part of their wider IT and cybersecurity strategy.

What’s next?

CPG 235- Managing Data Risk. Although this prudential guide is essentially existing since 2013, APRA has indicated that CPG-235 is next on the Agenda for rigorous compliance implementation.

As organisations look to boost security posture through CPS 234, it is important to do so with the next regulatory hurdle in mind – CPG 235, Managing Data Risk. 

Bird-eye view of CPG 235:

  • Identify the most critical data in the organisation and formalise a strategic roadmap to proactively manage its quality.
  • Develop a standardised data governance framework
  • Document the accountability for data management within organisations
  • Formally mobilise a data security program to uplift standards.

We, at Rabbon, have developed a DIY tool that will help you self assess your current compliance posture. However, for a comprehensive CPS 234 audit contact us. Our tool can be downloaded here. A comprehensive audit is expected to take around three to four weeks.

We specialise in developing risk management plans and strategies.

Cybersecurity is what we do

Rabbon is a Cybersecurity company based with offices in Sydney and Melbourne. We lead a team of Cyber Security Consultants and GRC Consultants, who help organisations become cyber resilient by providing access to effective and affordable cybersecurity services. We believe that “Cybersecurity is for everyone

You can contact our Cyber Security Consultants for an obligation-free consultation.

Email: [email protected]