The Final Deadline for CPS 234 Tripartite Assessments
The Australian Prudential Regulation Authority (APRA) has announced the final deadline for all remaining regulated entities to submit their CPS 234 tripartite assessments and has outlined core enforcement and supervision priorities for the year ahead. This crucial step underscores APRA's commitment to cybersecurity as a fundamental pillar of financial stability. However, while the deadline looms, understanding the context, implications and potential consequences of the requirement is essential.
What is CPS 234?
Implemented in 2019, CPS 234 stands for Prudential Standard CPS 234: Information Security. It mandates specific cybersecurity obligations for APRA-regulated entities like banks, insurers, and superannuation trustees and aims to safeguard sensitive financial data, protect customer information, and ensure operational resilience against cyber threats.
What is the CPS 234 Tripartite Review?
The CPS 234 Tripartite Review is a mandatory audit commissioned by APRA. Conducted by a registered public audit firm, it assesses the effectiveness of an APRA-regulated entity's information security controls against the requirements outlined in Prudential Standard CPS 234: Information Security. The review plays a crucial role in strengthening the cybersecurity posture of the financial sector and mitigating cyber risks and also serves as a preliminary indicator of an entity’s overall cybersecurity maturity and preparedness.
Key Features of the Tripartite Review:
- Independent Evaluation - the review is conducted by a registered public audit firm, ensuring objectivity and thoroughness.
- Focus on CPS 234 - the review assesses compliance with 21 control objectives derived from the standard, providing a comprehensive evaluation.
- Tripartite Engagement - the review involves participation from APRA, the regulated entity, and the independent auditor, fostering transparent communication and collaboration.
The Tripartite Review serves as a valuable exercise for regulated entities to identify areas for improvement in their cybersecurity practices and demonstrate their commitment to information security best practices.
Why is Cybersecurity Important to APRA?
The Australian Prudential Regulation Authority (APRA) recognises the significant impact of cyber threats on the financial landscape and prioritises cybersecurity through a range of initiatives, including the CPS 234 Tripartite Review. This commitment stems from several key considerations:
- Attractive Targets for Threat Actors - financial institutions represent high-value targets for threat actors seeking substantial financial rewards and valuable personal information on the dark web.
- Escalating Cybercrime Reports - the Australian Cyber Security Centre (ACSC) observed a 13% surge in cybercrime reports during the 2020-21 financial year, underlining escalating cybersecurity challenges.
- Risks in Third-Party Relationships - with financial institutions relying more on third-party support come inherent risks; breaches often result from excessive privileged access granted to third parties.
- Board Involvement - APRA's pilot of CPS 234 revealed concerns, emphasising the need for boards to actively review cyber resilience information, ensure recovery from high-impact attacks, and verify the effectiveness of information security controls across the supply chain.
The Deadline for CPS 243 Tripartite Assessment Submissions
The Australian Prudential Regulation Authority (APRA) has set the final deadline of June 30th 2024 for regulated entities to submit CPS 234 tripartite assessments. The submission window spans the next six months, following the completion of the information security assessment program’s initial pilot phase.
Key takeaways for the Pilot Phase
- The first tranche of tripartite assessments revealed control gaps in areas such as:
- Incomplete identification of critical information assets
- Inadequate testing of incident response plans
- Weakness in third-party risk management
- APRA emphasises that entities with significant vulnerabilities post-assessment may face intensified supervision, root cause analysis requests, remediation plans, and potential enforcement actions.
Looking Ahead: The Regulatory Landscape for Operational Resilience
With prudential Standard CPS 230 – Operational Risk Management set to take effect from July 1, 2025, APRA urges entities to proactively ensure compliance. The regulator plans to engage with entities on operational resilience throughout 2024, providing updated guidance, meetings, webinars, and information roundtables. Ultimately, APRA is committed to ensuring regulated entities operate with:
- Robust control frameworks
- Effective business continuity plans
- Secure arrangements with service providers.
How Can You Ensure Compliance?
Navigating the intricacies of CPS 234 and successfully completing the tripartite assessment can be daunting. InfoTrust boasts a team of cybersecurity experts with a deep understanding of the standard and its assessment requirements. They can guide you through:
- Gap analysis - identifying areas where your cybersecurity posture needs improvement.
- Identify and map your information assets
- Evaluate your current security controls
- Perform vulnerability assessments and penetration testing
- Remediation Planning - developing a clear roadmap to address identified gaps and enhance your security posture.
- Prioritise identified gaps
- Develop clear and actionable steps
- Allocate necessary resources
- Assessment Preparation - ensuring your organisation is fully prepared for the tripartite assessment.
- Put your remediation plan into action
- Establish ongoing monitoring processes
- Conduct regular internal audits
- Foster a culture of cybersecurity – Educate employees about cybersecurity risks and their role in protecting organisational data
- Raise awareness
- Implement Security training
- Promote a culture of shared responsibility
Don't wait until the deadline approaches. Reach out to InfoTrust today and confidently navigate your path to CPS 234 compliance.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help