June 27, 2019
Share this post:
Learn how to prepare for APRA Security Standard CPS 234
Authors: Chris Hockings, CTO IBM Security A/NZ IBM Global Markets – Cognitive Solutions Unit Industry Platforms & Ruby Li, Associate Partner, IBM Security
From 01 July, 2019 APRA Security Standard CPS 234 will impose new cybersecurity requirements on financial institutions. The standard aims to improve the resiliency of APRA-regulated entities against information security incidents and cyber-attacks by enhancing their ability to counter vulnerabilities and threats.
A major objective of the standard is minimising the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including those managed by related parties or third parties.
Key requirements of the new security standard
APRA-regulated entities are required to demonstrate compliance in:
1. Roles and Responsibilities – Clearly defining the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals.
2. Information Security – Maintaining an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.
3. Policy Framework – Maintaining an information security policy framework commensurate with its exposure to vulnerabilities and threats.
4. Information Asset Identification & Classification – identifying & classifying information assets, including those managed by related parties and third parties, by criticality and sensitivity.
5. Controls – Implementing information security controls to protect information assets, including those that are managed by related parties and third parties.
6. Incident management – having robust mechanisms in place to detect and respond to information security incidents in a timely manner.
7. Testing Control Effectiveness – Implementing a systematic testing program to test the effectiveness of information security controls.
8. Internal Audit – Constantly reviewing the design and operating effectiveness of security controls, including those maintained by related parties and third parties.
9. APRA Notification – Notifying APRA as soon as possible of a material security incident within 3 days or within 10 days of detecting a material information security control weakness.
More information about the key requirements of the new security standard can be found here.
How IBM can assist in enhancing your cyber resiliency
IBM can help your financial institution comply with the new standard and benefit from strengthened cybersecurity. Our highly qualified consultants have extensive experience in security delivery with proven methodologies. We focus on delivering security services tailored to your organisation, following IBM Security Framework methodologies and the Cyber Resilience Lifecycle approach.
Identify – Assess your readiness, process and posture, and then define an action plan.
Protect – Discover your vulnerabilities before they are exploited and put the right protection solutions in place.
Detect – Use advanced analytics to detect attacks coming from outside your enterprise and investigate active threats hiding inside.
Respond – Remediate attack damage by responding effectively with the smartest cyber incident responders and threat intelligence.
IBM can help your enterprise assess its current capabilities against the requirements of the new security standard. We can then provide a gap analysis assessment report. Develop a roadmap to attain compliance, and provide continued assessment and regular testing to help maintain compliance.
APRA Security Standard CPS 234 imposes significant new requirements on financial institutions. Meeting those standards means your institution will both maintain regulatory compliance and strengthen its cybersecurity. To learn more about how IBM can help, talk to the IBM Cyber Elite today.
Book your consultation.