Information security is a constantly evolving and dynamically changing landscape of threat and risk. Organisations that manage significant amounts of Personally Identifiable information (PII) and personal financial information are a particularly attractive target. Unfortunately, in many cases APRA-regulated organisations of all sizes have historically found it challenging to achieve traction with information security initiatives, resulting in broad risk to the financial services industry and associated stakeholders (e.g. fund customers and members). To help with addressing this, APRA released draft Prudential Standard CPS 234 Information Security (CPS 234) in March 2018. This prudential standard sought to ensure that APRA-regulated entities have in place sufficient information security capabilities to ensure resilience against security incidents (e.g. data breaches). The final version of the standard was released in November 2018 and, following industry consultation, comes into effect on 1st July 2019.

CPS 234 applies to all APRA-regulated entities and applies equally regardless of the organisations size and capability. APRA-regulated entities include:

When considering compliance to CPS 234, APRA-regulated entity must address nine distinct information security areas. These area are as follows:

In defining these requirements, CPS 234 varies from being highly prescriptive, to largely subjective in what it requires. As a result, some organisations may find it challenging to assess compliance. Where this is the case Alcorn Group recommends:

For a further guidance on achieving compliance with CPS 234, APRA have released draft prudential practical guide CPG 234, with the final version expected to be released prior to the CPS 234 effectives date (1st July 2019).

contact us