The Office of the Australian Information Commissioner reported that there were over 950 data breaches in Australia between April 2018 and April 2019 – a 700% increase in breaches from 2017. This prompted the Australian Prudential Regulation Authority (APRA) to immediately take action. The APRA released the Prudential Standard CPS 234 on July 1, 2019, to ensure regulated entities have information security controls in place to minimize the impact of information security incidents.
CPS 234 requires that a regulated organization must:
- Clearly define the information security-related roles and responsibilities of the board of the organization, senior management, governing bodies, and individuals.
- Maintain an information security capability commensurate with the size and extent of threats to the organization’s information assets (or data), and which enables the continued sound operation or the organization.
- Implement controls to protect the organization’s information assets commensurate with the criticality and sensitivity of those information assets and undertake systematic testing and assurance regarding the effectiveness of those controls.
- Notify APRA of material information security incidents.
What exactly does this translate to? More simply, organizations that fall under the CPS 234 umbrella must ensure they do the following:
- Implement a security policy framework that clearly outlines the responsibilities of the stakeholders.
- Identify data within the organizations and ensure it’s classified based on criticality and sensitivity
- Maintain an information security capability applicable to the organization size and extent of threats to their information assets
- Create security controls that protect the organization’s assets and take into account the threats, vulnerabilities and potential cost of the security incident.
- Develop an annually renewed incident management program that allows the organization to identify and respond to potential incidents in timely manner.
- Conduct testing of the security controls created to protect data with the organization. The testing is required to be done by independent specialists and reviewed annually for changes in security posture.
- Notify APRA no later than 72 hours after discovering a potential security incident. Additionally, APRA must be notified with 10 days after becoming aware of an information security control weakness which the organization won’t be able to remediate in a timely.
Third Party Cyber Risk Management (TPCRM) & CPS 234
An overwhelming 60% of breaches are caused by a third party, a statistic that companies like Instagram, Mitsubishi and Mastercard know all too well as they are among organizations who experienced data breaches caused by third parties in 2019. For organizations who don’t have a mature TPCRM program, third parties are often the weakest link in an organization’s information security, making managing their risk a top priority for CPS 234.
CPS 234 mandates that, as of July 1, 2020 or next contract renewal date (after 1 July 2019), third parties who manage the information of an APRA regulated entity must also adhere to the regulation. It’s vital for regulated entities to have knowledge of their third party relationships and awareness of how they are managing data. An efficient and mature TPCRM program is critical for organizations on their journey to CPS 234 compliance.
LEAD PRIVACY ANALYST