Bravura : Cyber security in the Information Age – CPS 234 and the key role of third parties

In the face of evolving cyber security threats, information security has never been more important for financial services entities and their technology partners. Key information security challenges include social engineering, fraud, hacking, mobile OS/app vulnerabilities and cyber-attacks on big data, supply chains and critical infrastructure, as well as potential impacts from natural disasters, utility failures and terrorism events. The advent of cloud-based environments adds another dimension to this mix.

To bring data security threats into focus for the financial services sector, APRA introduced its new prudential standard - CPS 234 Information Security - on 1 July 2019. CPS 234 requires APRA-regulated entities to step up and take the necessary measures to be resilient against information security incidents, including cyber-attacks, so that under all reasonable circumstances, their commitments to their members can continue to be met. New requirements include a cybersecurity framework that encompasses roles and responsibilities, information security capabilities, information asset identification and classification, systematic assurance, incidents management, notification, testing and audit.

Recognising that APRA-regulated entities increasingly rely on other providers to help them deliver end-to-end services - and that this introduces additional vulnerabilities - CPS 234 applies to all information assets, including those managed by third parties. The objective is to minimise the possibility and impact of data security incidents relating to confidentiality, integrity or availability of the entirety of a regulated entity's information assets.

APRA's expectation is that by 1 July 2020, a regulated entity will take reasonable steps to satisfy itself that its existing third-party providers have sufficient measures in place to manage the additional threats resulting from such arrangements. Any new contracts or contract renewals must be CPS 234 compliant from the outset.

Bravura actively supports our clients to assess the adequacy of our policies, processes and controls in relation to their CPS 234 obligations. To find out more, please contact Head of Account Management Louise Dewar on (03) 9935 2539.