How to use CPS 234 to secure your financial organisation - and the industry

Regulators, standard-setters and financial services institutions are coming together to boost resilience against evolving threats

Amid the constant change of the recent past, one thing has remained certain for financial services institutions: they are under a sustained attack. In fact, the problem is only becoming more acute as cyber attacks on financial institutions continue to grow, spiking by 238% in 2020.1


Cyber threats are on the rise

Cyber attacks are on the rise across all industries, including critical infrastructure.

  • Cyber attacks cost Australian businesses $29 billion annually, according to the government.

  • 56% of cyber and business executives say state-sponsored attacks on critical infrastructure are likely (PwC’s Digital Trust Insights).

  • 58% of data breaches reported to the Office of the Australian Information Commissioner between July and December 2020 were due to a malicious or criminal attack.2

What is CPS 234?

  • The Australian Prudential Regulation Authority's (APRA) Information Security Standard CPS 234 institutes requirements around information asset identification and classification, information security roles and responsibilities, implementation and testing of information security controls, incident management, internal audit, and breach notification.
  • It makes clear that the Board is ultimately responsible for information security.
  • It calls for protective measures to be commensurate with the size of the organisation and the threats faced.
  • It includes requirements around management of third party (supplier) risk management.  

How CPS 234 boosts industry security standards

As risks increase, regulators are expanding their efforts to help financial organisations boost their resilience. One example is the Australian Prudential Regulation Authority’s (APRA’s) increased focus on CPS 234, its first mandatory prudential standard for information security applying to all APRA-regulated entities. 

At the core of the regulation are three key questions:

  1. Do you understand your information assets?
  2. Have you prioritised protection through establishing a baseline of cyber controls?
  3. Are your Board and Executive enabled to oversee and manage cyber exposures?
 

While many of those required to comply with this standard – including banks, super funds and insurers – have been busy implementing asset identification and protective measures since CPS 234 came into effect in July 2019, our experience with regulators and within the industry shows there may be more work to be done.

That’s why it’s important that organisations take steps now to boost their security posture and manage increasing levels of risk effectively.

The good news is that taking additional steps to ensure full compliance with CPS 234 will also put regulated entities in a strong position to comply with the forthcoming data management guidance, CPG 235.

CPG 235: The next horizon

As organisations look to boost security posture through CPS 234, it is important to do so with the next regulatory hurdle in mind – CPG 235, Managing Data Risk. 

Among other recommendations, CPG 235:

  • Asks that financial services organisations identify most critical data in the organisation and formalise a strategic roadmap to proactively manage its quality.
  • Calls for the introduction of a standardised data governance framework.
  • Proposes the need for dedicated accountability for data management within organisations and formally mobilising a program to uplift standards.

CPS 234: What good looks like

A best practice plan should include:

  • An Information Security Strategy aligned to the overall IT strategy

  • An understanding of what your information assets are and where they are located

  • Board accountability for information security risks

  • An IT security governance forum or steering committee with representation from major business areas

  • Knowledge of third party relationships and awareness of how handling your information

  • An information security risk management framework aligned to the organisational risk management framework

  • Appropriate security mechanisms applied to critical and sensitive information assets

  • A structured assessment program for  information security controls and security incident management

  • A regularly tested cyber security incident response plan

 

A rising tide lifts all ships: Best practice to go beyond CPS 234 compliance and increase industry security

The baseline of cyber controls formalised by CPS 234 has been established to foster good security practices among financial institutions from the board down. Yet our experience shows both boards and regulators are increasingly concerned about rising risks.

APRA is scheduled to complete a pilot tripartite review program shortly, under which a sample of regulated entities are being subject to one-off tripartite independent cyber security-related reviews.

The key is to understand that the program isn’t about enforcement, but creating a compliant, resilient security posture has wider industry- and economy-wide benefits that can future-proof our organisations for the long-term.

How PwC can help

PwC is well-positioned to work with organisations to spot and remediate any cyber exposures to achieve cyber resilience. 

With experts close to the intention of CPS 234, CPG 235 and the regulatory process, PwC is able to review your compliance efforts to ensure alignment with the intent and the word of the standard. 

This will be done with further regulatory developments in mind, including the transition of CPG 235 to CPS status. That means your work to meet these standards does duplicate effort or complicate future compliance initiatives.  

Among other support, PwC can offer: 

  • Gap analysis of existing security practices and operating model against CPS 234 and CPG 235 standards
  • Information asset identification and categorisation
  • Establishment and operation of third party security assessment programs
  • Independent security control testing
  • Augmentation of existing internal audit capability
  • Development and execution of user awareness programs
  • Operation of revised security practices

Our financial services security experts have deep technical experience and industry knowledge, including hands-on practice advising on CPS 234 compliance and defining and designing best practice programs. From the boardroom to the IT team, we bring together strategic insight and practical actions to meet, and exceed, regulatory requirements - and ultimately protect your business from cyber risk.

Get in touch now

References:

 1 Australian Security Insights Report 2021, Carbon Black

2 https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2020/

Contact us

Peter Malan

Partner, Cybersecurity & Digital Trust, PwC Australia

Tel: +61 413 745 343

Nicola Costello

Partner, Assurance Risk and Digital Trust, PwC Australia

Tel: +61 2 8266 0733

Sara Nicholson-Taylor

Director, Assurance, Trust & Risk, PwC Australia

Tel: +61 452 599 633

Follow PwC Australia