Blog

Cyber security in the Information Age – CPS 234 and the key role of third parties

Cyber security in the Information Age – CPS 234 and the key role of third parties

21 November 2019

In the face of evolving cyber security threats, information security has never been more important for financial services entities and their technology partners. Key information security challenges include social engineering, fraud, hacking, mobile OS/app vulnerabilities and cyber-attacks on big data, supply chains and critical infrastructure, as well as potential impacts from natural disasters, utility failures and terrorism events. The advent of cloud-based environments adds another dimension to this mix.

To bring data security threats into focus for the financial services sector, APRA introduced its new prudential standard – CPS 234 Information Security – on 1 July 2019. CPS 234 requires APRA-regulated entities to step up and take the necessary measures to be resilient against information security incidents, including cyber-attacks, so that under all reasonable circumstances, their commitments to their members can continue to be met. New requirements include a cybersecurity framework that encompasses roles and responsibilities, information security capabilities, information asset identification and classification, systematic assurance, incidents management, notification, testing and audit.

Recognising that APRA-regulated entities increasingly rely on other providers to help them deliver end-to-end services – and that this introduces additional vulnerabilities – CPS 234 applies to all information assets, including those managed by third parties. The objective is to minimise the possibility and impact of data security incidents relating to confidentiality, integrity or availability of the entirety of a regulated entity’s information assets.

APRA’s expectation is that by 1 July 2020, a regulated entity will take reasonable steps to satisfy itself that its existing third-party providers have sufficient measures in place to manage the additional threats resulting from such arrangements. Any new contracts or contract renewals must be CPS 234 compliant from the outset.

Bravura actively supports our clients to assess the adequacy of our policies, processes and controls in relation to their CPS 234 obligations. To find out more, please contact Head of Account Management Louise Dewar on (03) 9935 2539.

About the author

Louise Dewar

Louise Dewar

Head of Account Management – APAC

Louise Dewar is the Head of Account Management for APAC at Bravura Solutions. Based in our Melbourne office, Louise is responsible for building strong relationships with our clients and ensuring they are receiving the very best in service from Bravura Solutions. Louise has extensive experience working in the financial services and technology sectors – with over eight years of experience in the financial technology industry, more than 15 years of experience in superannuation and financial planning, and over 20 years of experience working in senior account management roles.