Module Application
Is your organisation an APRA regulated entity?
Does your organisation have policies and procedures in place to manage Information Security in line with Prudential Standard CPS 234 Information Security?
Module Scope
The INFORMATION SECURITY module aims to assist regulated entities to understand what is required to comply with Prudential Standard CPS 234 Information Security (CPS 234).
CPS 234 is a regulation set by the Australian Prudential Regulation Authority (APRA) that mandates information security practices for all APRA-regulated entities. The main goals of CPS 234 are to:
- Increase resilience against cyberattacks and other information security incidents (including cyber-attacks)
- Minimise the likelihood and impact of such incidents on the confidentiality, integrity and availability of information assets
- Ensure regulated entities take necessary measures to protect information assets, including those managed by third parties
CPS 234 applies to a broad range of financial institutions regulated by APRA, including:
- Authorised deposit-taking institutions (ADIs): This includes banks, building societies, credit unions, and foreign ADIs operating in Australia, as well as non-operating holding companies licensed under the banking legislation
- General insurers: This covers a wide range of insurance providers, including life insurers, general insurers (including Category C insurers), non-operating holding companies licensed under the insurance legislation (authorised insurance NOHCs), and parent entities of Level 2 insurance groups
- Life companies: This includes life insurance companies, friendly societies, eligible foreign life insurance companies and non-operating holding companies registered under life insurance legislation
- Private health insurers: All private health insurers registered under private health insurance products legislation
- Registerable superannuation entities (RSEs): All RSEs licensed under the superannuation industry legislation, but only in respect of their business operations
Implementing CPS 234
While CPS 234 outlines the mandatory requirements, the APRA prudential practice guide offers practical guidance on how to implement those requirements effectively. The guide aims to assist regulated entities in maintaining information security and shares APRA's observations on what constitutes good information security practices.
Importantly, the guide acknowledges that a "one-size-fits-all" approach does not work for information security. It allows for flexibility in how entities implement controls, as long as the overall objectives of CPS 234 are met. This caters to the varying sizes, nature, structures, and risk profiles of regulated entities.
The guide and APRA’s observations have been incorporated throughout the INFORMATION SECURITY module to help regulated entities understand not just the minimum requirements, but also how to achieve a higher level of information security maturity.
The INFORMATION SECURITY module covers the roles and responsibilities of APRA regulated entities. The module does not cover the role or actions to be taken by consumers in the event of a breach of regulations or obligations by an organisation.