Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
Request a Demo

Meet Noggin

An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.

Business Continuity
Business Continuity
Operational Resilience
Operational Resilience
Crisis Communications
Crisis Communications
operational risk management
Operational Risk Management
Crisis & Incident Management
Crisis & Incident Management
Third-Party Risk Management
Third-Party Risk Management
Emergency Management
Emergency Management
WHS-hard hat
Safety Management
Investigations and Case Management
Investigations & Case Management
Security - padlock
Security Management

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More

Industries

Explore Noggin's integrated resilience software, purpose-built for any industry.

Aviation
Aviation & Airports
Construction
Construction
Counter Terrorism
Counter-Terrorism
Care Services
Care Services
Education
Education
Financial Services
Financial Services
Healthcare
Healthcare & Hospitals
Manufacturing
Manufacturing
Mining Oil & Gas
Mining, Oil & Gas
Government
Public Safety & Government
Retail & Hospitality
Retail & Hospitality
Technology
Technology
Transportation
Transportation
Utilities
Utilities
Venues & Entertainment
Venues & Entertainment
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Whitepaper

Guide to Prudential Standard CPS 234 Information Security for APRA-Regulated Entities

Noggin

Continuity Management Software

Updated August 22, 2023

Table of Contents
APRA and its role

APRA and its role

Why is APRA interested in risk to businesses?

About Prudential Standard CPS 234 Information Security

Role of digital technology in APRA compliance

APRA and its role

An independent statutory authority, the Australian Prudential Regulation Authority (APRA) supervises financial and related institutions across the banking, insurance, and superannuation sectors.

APRA is accountable to the Australian Parliament, who has tasked the authority with the duty to maintain the safety and soundness of the financial industry. More specifically, APRA is responsible for protecting the interests of depositors, policyholders, and superannuation fund members. 

To promote the stability of the financial system, APRA works in tandem with other regulatory bodies, including the Australian Treasury, the Reserve Bank of Australia, and the Australian Securities and Investments Commission.

Entities APRA oversees 

  • Authorised deposit-taking institutions (such as banks, building societies, and credit unions)
  • General insurers
  • Life insurers
  • Friendly societies
  • Private health insurers
  • Reinsurance companies
  • Superannuation funds (other than self-managed funds)

Why is APRA interested in risk to businesses?

The failure of just one regulated institution can undermine the stability of the financial system. For that reason, APRA is obliged to maintain a low incidence of failure among the entities it regulates.

Of course, APRA can only do so much. Instead, it must compel the management and directors of those entities (most likely the Board of Directors) to ensure that their own institutions remain sound. 

APRA primarily does so through the imposition of prudential standards. The reason they are put into place is to increase the resilience to business disruption arising from internal and external events and reduce impact on business operations, reputation, profitability, depositors, policyholders, and other stakeholders.

Key standards address capital adequacy, liquidity, and governance to ensure that systemic risks (i.e., risks that would endanger the system as a whole) are properly managed. 

Information security falls under this rubric, as well. Information security, particularly data breaches, is of ever-increasing concern for APRA-regulated entities; finance and insurance routinely top the ranks of the most vulnerable sectors to data breaches. And so, in July 2019, APRA released Prudential Standard CPS 234 Information Security, to which the subsequent guide provides a primer.

About Prudential Standard CPS 234 Information Security

CPS 234 derives its statutory authority from sections of the Banking, Insurance, Life Insurance Acts, Private Health Insurance, and Superannuation Industry legislation.

What is the intent of the standard? CPS 234 seeks to ensure that regulated entities take measures to be resilient against information security incidents (including cyberattacks). They can do so, according to the standard, by maintaining an information security capability commensurate with their information security vulnerabilities and threats. 

The key objective of the standard, as such, is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity, and/or availability of information assets, including information assets managed by related parties or third parties. 

Key requirements to that effect include:

  • Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals
  • Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity
  • Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls
  • Notify APRA of material information security incidents.

Important definitions in CPS 234 

Here are the key terms you need to know in CPS 234:

  • Availability refers to accessibility and usability when required 
  • Confidentiality refers to access being restricted only to those authorised
  • Criticality refers to the potential impact of a loss of availability
  • Information asset means information and information technology, including software, hardware, and data (both soft and hard copy)
  • Information security means the preservation of an information asset’s confidentiality, integrity, and availability
  • Information security capability means the totality of resources, skills, and controls which provide the ability and capacity to maintain information security 
  • Information security control means a prevention, detection, or response measure to reduce the likelihood or impact of an information security incident 
  • Information security incident means an actual or potential compromise of information security
  • Information security policy framework means the totality of policies, standards, guidelines, and procedures pertaining to information security
  • Information security threat (threat) is a circumstance or event that has the potential to exploit an information security vulnerability
  • Information security vulnerability (vulnerability) is a weakness in an information asset or information security control that could be exploited to compromise information security 
  • Integrity refers to completeness, accuracy, and freedom from unauthorised change or usage
  • Sensitivity means the potential impact of a loss of confidentiality or integrity

How to comply with those requirements? The means to do so vary by category. Key requirements include:

  The APRA-regulated entity must:
Information security capability
  • Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity. 
  • Where information assets are managed by a related party or third party, assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets. 
  • Actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment.
Policy framework
  • Maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats, which provides direction on the responsibilities of all parties who have an obligation to maintain information security
Information asset identification and classification
  • Classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting an information asset has the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers.
Implementation of controls
  • Have information security controls to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with:
    – Vulnerabilities and threats to the information assets
    – The criticality and sensitivity of the information assets 
    – The stage at which the information assets are within their lifecycle
    – The potential consequences of an information security incident. 
  • Where an APRA-regulated entity’s information assets are managed by a related party or third party, the former must evaluate the design of that party’s information security controls that protects the information assets of the APRA regulated entity.
Incident management
  • Have robust mechanisms in place to detect and respond to information security incidents in a timely manner
  • Maintain plans to respond to information security incidents that the entity considers could plausibly occur (information security response plans). 
  • Those plans must include mechanisms in place for:
    – Managing all relevant stages of an incident, from detection to post-incident review
    – Escalation and reporting of information security incidents to the Board, other governing bodies, and individuals responsible for information security incident management and oversight,
    as appropriate. 
  • Annually review and test its information security response plans to ensure they remain effective and fit-for-purpose.
Testing control and effectiveness
  • Test the effectiveness of its information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with:
    – The rate at which the vulnerabilities and threats change
    – The criticality and sensitivity of the information asset
    – The consequences of an information security incident
    – The risks associated with exposure to environments where the entity is unable to enforce its information security policies 
    – The materiality and frequency of change to information assets 
  • Where the APRA-regulated entity’s information assets are managed by a related party or a third party, and the APRA-regulated entity is reliant on that party’s information security control testing, the APRA-regulated entity must assess whether the nature and frequency of testing of controls in respect of those information assets is commensurate with the above.
  • Escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.
  • Ensure that testing is conducted by appropriately skilled and functionally independent specialists. 
  • Review the sufficiency of the testing program at least annually or when there is a material change to information assets or the business environment.
Internal audit 
  • Include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties (information security control assurance). 
  • Ensure that the information security control assurance is provided by personnel appropriately skilled in providing such assurance. 
  • Assess the information security control assurance provided by a related party or third party where: 
    – An information security incident affecting the information assets has the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers
    – Internal audit intends to rely on the information security control assurance provided by the related party or third party.
Notifications
  • Notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that: 
    1. (a) Materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers
    2. (b) Has been notified to other regulators, either in Australia or other jurisdictions.
  • Notify APRA as soon as possible and, in any case, no later than 10 business days, after it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner.

 

 

Role of digital technology in APRA compliance

For APRA-regulated entities, CPS 234 might seem like a lot. However, adhering to best practices in information security and incident management is beneficial in and of itself.

Furthermore, digital technology can help. Integrated platforms, like Noggin Security, let entities plan and manage their information security-related information, operations, and communications. 

With their flexible, configurable, digital functionality, these platforms enable entities to (1) define information security-related roles and responsibilities; (2) maintain an information security capability; (3) implement controls to protect information assets and systematic testing and assurance; (4) notify APRA of material information security incidents.

What else? Well, these solutions capture and consume information from multiple sources, including reports, logs, communications, forms, assets, and maps, providing a real-time common operating picture of the task or operation at hand.

Leveraging powerful, yet easy-to-set-up workflows, these solutions also control and automate information security management processes and standard operating procedures, keeping the right stakeholders (internal and external) informed across multiple communications mediums. 

The solutions also track tasks to ensure that the right actions are taken and followed through, helping APRA-regulated entities assign, manage, and track resources, which are key to regulatory compliance. 

Noggin Security information and strategic incident management capabilities: 

  • Reinforce intelligence tasking and response with an auditable record of changes
  • Powerful workflow builder to automate review, approval, escalations, and interactions across the organisation and externally
  • Ability to relate assets, events, contacts to provide a complete picture of requests, incidents, and tasks, including mapping for geospatial information, timelines for understanding changes and progressions in context, as well as alerts to automatically flag issues for further attention
  • Configurable dashboards that provide an executive view of progress, emerging issues and crises 
  • Support for scalable processes to handle routine or commodity threats through to Advanced Persistent Threats (APT) 
  • Support for intelligence gathering for entities of interest including evidence gathering and multi-party coordination 
  • Configurable security model to accommodate low privilege users, such as third-party IT staff to log threats and incidents or receive reports without gaining access to more sensitive information
  • Asset inventory and logging to highlight prioritised assets or other high impact items. 

Finally, APRA-regulated entities are being asked to do their part to ensure the stability of the financial system. That means implementing best practices in information security and incident management, to mitigate key threats. 

If those measures sound daunting, they don’t have to. Digital technologies, like Noggin Security, can help regulated entities comply with their requirements expeditiously, protect themselves and customers, thereby getting the jump on the competition.

New call-to-action

 

Citations

i. Limor Kessem, Security Intelligence: Threat Actors’ Most Targeted Industries in 2020: Finance, Manufacturing and Energy. Available at https://securityintelligence.com/posts/threat-actors targetedindustries-2020-finance-manufacturing-energy/.
close (3)

Download your copy