Aussie regulator focuses on cyber risk: APRA Standard CPS 234 

Who is affected? 

The Standard primarily affects APRA-regulated entities, including: 

1.           authorised deposit-taking institutions (ADIs) such as banks, building societies, and credit unions; 

2.           general insurance companies; 

3.           life insurance companies; 

4.           private health insurers; and 

5.           superannuation funds (managed investment schemes that invest in retirement savings). 

These entities are required to comply with CPS 234 and implement the necessary measures to strengthen their cybersecurity. 

What is the Standard intended to achieve? 

Consumer protection is at the heart of APRA Standard CPS 234. APRA-regulated entities must maintain robust cybersecurity defences to protect themselves and their customers from cyber threats. The Standard aims to ensure that entities: 

• enhance cybersecurity governance, with the establishment of a comprehensive framework to oversee and manage cybersecurity risks effectively; 
• implement information security controls to protect their digital assets from unauthorised access, disclosure, alteration, or destruction; 
• have effective incident response plans in place to respond promptly and effectively to cybersecurity incidents and breaches; and 
• enhance their data management and third-party risk management so as to ensure that third-party service providers adhere to the same high cybersecurity standards that the APRA-regulated entities are held to. 

Penalties for non-compliance 

Failure to comply with APRA Standard CPS 234 can result in various penalties (imposed by APRA, naturally), which may include: 

• financial penalties;  
• enforcement actions; and/or  
• APRA may require a non-compliant entity to undertake specific remedial actions to address the deficiencies and strengthen its cybersecurity capabilities. 

Although not a regulatory penalty, non-compliance with CPS 234 can also result in reputational damage, which can harm a firm’s ability to attract customers or do business in the future. 

An interconnected world: the role of cybersecurity controls 

In terms of its approach to creating and enforcing regulations, APRA aims to be “a forward-looking regulator”. Standard CPS 234 seems aligned with that ambition, by recognising that cyber threat actors are not constrained by borders or time zones. 

There is an extensive recognition of proportionality within the regulation that requires an appropriate application of cybersecurity controls within the organisation. The shifting nature of cybersecurity threats means that compliance is an ongoing effort that requires continuous engagement with cybersecurity from the board and the wider business.  

A “compressive roadmap” is an effective way to achieve this engagement. These roadmaps are often used in the context of organisational change models. The purpose of a compressive roadmap is to facilitate smooth transitions during periods of change, minimise disruption, and ensure that intended outcomes are achieved. It helps garner trust and encourages organisational participation and adoption of change. 

How can Thomas Murray help? 

Under CPS 234, APRA-regulated entities are required to maintain an information security policy framework which is commensurate to their exposure to vulnerabilities and threats. This should be broadly consistent with other policy frameworks, like risk or vendor management. Our specialist cybersecurity consulting team can provide the necessary support to organisations to ensure compliance – from developing compressive roadmaps and helping to implement and establish the necessary foundations to achieve compliance, to providing targeted support for organisations to ensure that compliance is ongoing. 

Finally, our proprietary technology allows the automation of the creation, issuance and evaluation of questionnaires for assessing your third parties. 

The extensive experience of Thomas Murray's cybersecurity team will ensure appropriate controls, processes and mechanisms are in place to ensure appropriate cybersecurity risk management.