Implementing APRA’s CPS 234 Prudential Standard

APRA first announced the prudential standard in March 2018. The required entities (as defined by APRA) need to comply with the standard by July 1, 2019. Further, the suppliers of APRA regulated entities are also required to comply with the standard by July 1, 2020.

There is a general lack of understanding in the market about what compliance to the standard looks like. However, this is not an excuse to not do it. The standard was brought into effect that APRA regulated entities “have the appropriate information security capabilities to be resilient against information security incidents”. APRA also realised that due to increases in the breadth, depth and complexity of modern-day data breaches, its entities and their suppliers need to be operationally ready to protect information. All organisations that are serious about information security should be defining what compliance looks like to their organisation, and how they go about its application.

July 1 is soon…. But we haven’t done anything yet…..

The process is not quick, but there are still actions you can take to ensure you are on the right track, and acting in the correct way to comply with the standard as soon as you can. For instance, you can conduct a gap analysis to see where you already align or where you need to improve operations to bring them closer to the requirements.

The NCC Group approach is risk-based. We determine what the worse-case scenario’s look like for your organisation and work backward. Even the most basic process would entail several steps:

• Conduct a gap analysis
• Structure an achievable roadmap to close any found gaps
• Design a CPS 234 policy
• Start communicating the policy
• Add in new requirements to the provisioning and de-provisioning of any affected parties
• Start implementing the roadmap tasks

What about 3rd party compliance?

This is where things get interesting. Any organisation with an Australian jurisdiction that is a supplier or provider to an APRA regulated entity required to comply with CPS 234 must also comply with the standard by July 1, 2020. APRA’s view is that all information assets are subject to the CPS 234, regardless who is managing the asset, and where they are in the supply chain, and whether or not those assets form part of the material business activities.

If not already done, you should start communicating with your suppliers to let them know what you expect of them before the deadline, after all, some of the largest and most detrimental data breaches have been caused by a third party supplier.

What are the penalties of non-compliance?

Designing your CPS 234 implementation plan with the intention of it being in full effect as soon as possible should not be deemed as non-compliant. This would include demonstrating a workable roadmap, with timeline, showing when you will be aligned with the standard.

APRA have not yet determined how or when they are going to conduct checks nor have they announced any penalties. If we look at it from a historical point of view, we can assume that sometime in the future an audit process will be determined with the penalty imposed most likely being a monetary fine.

While some large organisations with fabled war chests of cash saved for this purpose may be true, those organisations are few and far between. The reality is that most mid-sized APRA regulated entities will not be able to recover quickly from imposed fines for non-compliance.

It will take some time for APRA to conduct checks and impose fines, but in the meantime if your organisation is doing all it can to work towards alignment, it should be confident to meet the CPS 234 requirements.