The APRA Prudential Security Standard (CPS234) came into effect on 1st July 2019. Although the standard is designed to ensure that APRA regulated entities improve their cybersecurity resilience, it is the sort of standard that should be adopted across a broader range of industry verticals, if not all businesses.
The new Prudential Information Security Standard CPS234 came into effect at the beginning of July 2019. In an original article, the legal eagles at GT Law took the opportunity to point out 8 things you didn’t know about APRA’s new security standard.
EXTRACT:
APRA Prudential Standard CPS 234 comes into effect on Monday 1 July 2019. The standard aims to bolster the cybersecurity readiness of APRA-regulated entities and minimising the likelihood and impact of incidents on confidentiality, integrity or availability of information and information systems. CPS 234 largely reflects APRA’s previous practice guide CPG 234, updating and adding enforceability to the obligations.
In the article, Mark Caplan, Mark Ferguson and Matthew Scrocca draw out eight key elements of the new standard. Although the standard comes into effect on 1st July 2019, if your digital assets are managed by a third party you have until 1st July 2020 to ensure any service provider contract is compliant.
Here’s a brief summary of the other seven key points. Under the new standard, you and you IT service providers must:
- Maintain an information security capability proportionate to the extent of threats posed to your digital assets.
- Enforce an information security policy framework that outlines the responsibilities of key stakeholders.
- Identify and classify all Information assets with reference to their criticality and sensitivity.
- Implement information security controls to protect assets that consider criticality, sensitivity, vulnerability and life-cycle stage.
- Have mechanisms in place to detect and respond to threats in a timely manner.
- Carry out appropriate testing of security controls and review the audit process annually.
- Notify APRA within 72 hours of identifying an information security incident that “did, or had the potential to, materially affect stakeholders”.
Senetas Opinion
The introduction of the GDPR in Europe set what is arguably the highest benchmark for cyber-security standards that the rest of the world has been compelled to match. Here, we’d like to acknowledge the importance of the cyber-security leadership shown by APRA.
What we’d like to see next is a similar initiative adopted across all industry verticals. Just as fiduciary, work-safety and other standards are set and adopted by businesses in all industries, today, there is no question that cybersecurity standards must be set and adopted in the same way.
Too many high-tech organisations don’t do enough to protect their data; exposing stakeholders to variety of risks, including a loss of IP, financial penalties, privacy breaches and more. APRA’s Prudential Standard CPS 234 sets out the kind of approach to cyber-security that every organisation (APRA regulated or not) should take.
In cyber-security terms, when we’re assessing the likelihood of an organisation’s data being threatened by criminals, terrorists, rogue states or other bad actors, we refer to “attack vectors”. It is essential that all organisations understand these attack vectors and how they pertain to their digital assets.
The relative risk of cyber-attack is influenced by the perceived value of the data in question. Whilst there is an industry-specific element of risk, there are some vectors that are common across all industries; including volume and sensitivity of data, IT infrastructure and choice of cyber-security technology.
As a developer of leading encryption technologies used in more than 35 countries, designed to protect data, we see first-hand how in 2019 that breaches of unencrypted data are so unnecessary – causing avoidable harm.
If you would like help understanding your cyber-security landscape, get in touch with one of our security consultants by emailing security@senetas.com
For information about our range of data network security solutions, visit the product pages of our website:
Hardware Encryption for core network infrastructure
Virtualised encryption for virtual CPE and WAN
Encrypted file-sharing and content sanitisation