What is CPS 234?
CPS 234 is a mandatory information security regulation issued by the Australian Prudential Regulatory Authority (APRA) that took effect on July 1, 2019. It requires organizations in the financial and insurance sectors to strengthen their information security framework in order to protect themselves and their customers from the growing threat of cyber attacks.
What is APRA?
The Australian Prudential Regulation Authority (APRA) is a statutory authority that was established during 1998 by the Australian Government.
APRA is accountable to the Australian Parliament but acts independently to supervise institutions performing actions related to insurance, superannuation, and banking.
A core purpose of APRA is to provide communities with assurance as to the financial behavior of institutions under all reasonable circumstances.
APRA was given the authority to oversee private health insurers, general and life insurers, superannuation funds, friendly societies, reinsurance companies, and institutions authorized to take deposits like building societies, banks, and credit unions.
Why is the APRA CPS 234 Important?
CPS 234 is an information security law intended to ensure that regulated entities can withstand cyberattacks and other security threats. In addition, when an obvious data breach or other security incident is discovered, businesses must respond in a timely manner.
The frequency, complexity, and impact of cyberattacks continues to increase, and criminals are constantly improving their efforts to disrupt systems, networks and information.
Financial institutions are an attractive target for cyberattacks, and hold personally identifiable information (PII) and protected health information (PHI) of Australian citizens. Banks and insurance companies increasingly use third-party tools and services to improve customer experience, and this increases their security exposure.
CPS 234 aims to reduce risk and improve cybersecurity by requiring entities regulated by APRA to maintain information security systems and practices that are appropriate for the threats they face. It also requires them to use supplier risk management techniques to reduce the likelihood and impact of third party incidents.
Who Needs to Comply with CPS 234?
CPS 234 applies to all legal entities regulated by APRA:
- Accredited deposit-taking institutions (ADI)—including foreign and non-business holding companies licensed under Australian banking law
- General insurance companies—including category C, non-operating holding companies licensed under Australian insurance law, and parent companies of secondary insurers.
- Life insurance companies—including membership societies, foreign life insurance companies, and non-operating holding companies registered under the Australian Life Insurance Act
- Private health insurance companies registered under the PHIPS Act
- Organizations licensed under RSE based on Australian SIS Act
Wherever an organization regulated by APRA manages information via a third party, the CPS234 regulation also applies to that third party.
The main goals and requirements of the draft standard are:
- To minimize the likelihood and impact of information security incidents.
- To ensure that regulated entities take the necessary steps to respond to cybersecurity incidents.
- To define information security roles and responsibilities for the board, executive management, individuals within a company, and governing bodies.
- To define and document information security functions and policy frameworks.
- To protect data assets and implement controls based on system testing and validation.
- To ensure regulated entities have appropriate mechanisms for detecting and responding security incidents on time.
- To ensure notification of APRA within 24 hours of any significant information security incident.
APRA delegates responsibility over information security to the board of directors. The idea is to enable the continued operation of the entity while ensuring that the board oversees how data assets are maintained and secured.
Organizations covered by CPS 234 should strengthen six key areas of information security:
- Cyber security frameworks, accountability and reporting—this involves a formal framework for security, establishing controls, and assigning information security roles for board, management, governing bodies and individuals.
- Identification and classification of information assets—information assets should be classified according to their importance (according to the impact of availability loss) and confidentiality (according to the impact of confidentiality and integrity loss).
- Third party compliance—ensuring information security standards are maintained by third parties that process organizational data.
- Systematic security assurances—continually testing systems to ensure that security measures are appropriate and effective given the evolving threat landscape.
- Respond to security incidents—a formal incident response plan must be in place to ensure adequate response and mitigation for all incidents, with notification of significant incidents APRA.
- Internal audits—regulated entities must ensure the effectiveness of information security controls by conducting period internal audits.
How to Ensure Compliance with CPS 234
To ensure your organization can fulfill its compliance obligations, ask the following questions.
What Third Parties Manage Information Assets?
This may seem like an obvious problem, but you need a comprehensive audit to understand which assets are under control by third parties. Ultimately, the board is responsible for complying with CPS234, so the board must ensure they know about all assets managed by third parties.
The CPS 234 standard imposed a deadline of July 1, 2020, requiring organizations to comply with the standard for third part data by that date.
What are the Roles and Responsibilities of the Third Parties?
To comply with CPS 234, entities (including third parties) must clearly define the organization’s security-related roles and responsibilities. Certain third parties are responsible for managing and storing customer payment data. Some companies may assist with security, for example by offering penetration testing services.
When complying with CPS 234, the most important thing is to clarify the roles and responsibilities of these external parties, and they can then be correlated to roles and responsibilities of internal roles.
How Capable are Third Parties in Managing Information Security?
To comply with CPS 234, it is necessary to evaluate whether the information security features of third-party vendors correspond to the potential consequences of security incidents. Even if the appropriate controls are in place, the organization must ensure that it has a contract in place to ensure they are maintained.
On the other hand, if the third party does not have the appropriate security measures, what changes must be made to the third party to achieve the required security controls? If a change is required by a third party, the change must be included in the supplier contract and evaluated after completion.
What Security Controls Do the Third Parties Have in Place?
CPS 234 stipulates that enterprises must protect all information assets internally and have adequate security controls administered by third parties. These security control measures should correspond to the threats and vulnerabilities facing the information assets, the importance and confidentiality of the assets, and any potential consequences of an InfoSec incident.
If the company finds inappropriate third-party security controls, it will be required to describe the amendment requirements in a new contract with the third party.
CPS234 Compliance with Imperva
Imperva Data Protection solution is used to meet auditing, monitoring, alerting, and protection requirements for CPS234 compliance in Australian financial organizations.
Imperva’s Data Protection solution provides comprehensive protection of structured data, whether it is on-premise, in the cloud cloud, in big data stores, or in mainframes. Imperva’s components, architecture, and alerting mechanisms have been certified for CPS234 compliance by leading banks.
In addition to CPS234 compliance, Imperva’s data security solution protects your data wherever it lives—on premises, in the cloud and in hybrid environments. It also provides security and IT teams with full visibility into how the data is being accessed, used, and moved around the organization.
Our comprehensive approach relies on multiple layers of protection, including:
- Database firewall—blocks SQL injection and other threats, while evaluating for known vulnerabilities.
- User rights management—monitors data access and activities of privileged users to identify excessive, inappropriate, and unused privileges.
- Data masking and encryption—obfuscates sensitive data so it would be useless to the bad actor, even if somehow extracted.
- Data loss prevention (DLP)—inspects data in motion, at rest on servers, in cloud storage, or on endpoint devices.
- User behavior analytics—establishes baselines of data access behavior, uses machine learning to detect and alert on abnormal and potentially risky activity.
- Data discovery and classification—reveals the location, volume, and context of data on-premises and in the cloud.
- Database activity monitoring—monitors relational databases, data warehouses, big data, and mainframes to generate real-time alerts on policy violations.
- Alert prioritization—Imperva uses AI and machine learning technology to look across the stream of security events and prioritize the ones that matter most.