APRA Prudential Standard CPS 234
Consulting Services
At Shearwater, we help APRA-regulated entities to understand their obligations under Prudential Standard CPS 234 and comply with Information Security standards set by APRA.
At Shearwater, we help APRA-regulated entities to understand their obligations under Prudential Standard CPS 234 and comply with Information Security standards set by APRA.
The main aim of the CPS 234 Standard is to ensure that APRA-regulated entities maintain information security capability and resiliency against cyber threats targeting financial institutions and the wider business community.
“A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.”
The CPS 234 Standard places the ultimate responsibility for maintaining information security on the Board of the APRA regulated entity, and puts forward four key requirements that these organisations must undertake:
1 – Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
2 – Maintain an information security capability that’s proportionate with the size and extent of threats to its information assets without disrupting operations;
3 – Implement and systematically test appropriate controls to protect its information assets – taking into consideration the criticality and sensitivity of those assets; and
4 – Notify APRA of material information security incidents.
We provide services and solutions to APRA-regulated entities to help them achieve compliance against the CPS 234 Standard.
When you engage Shearwater, you have the assurance that your security team is tackling security threats with the right structured approach – managing risks and protecting your organisation’s systems around the clock.
We have extensive experience in incident management and incident response preparation, including notification requirements set by the CPS 234 Standard. Our team can also help you to review and test your incident response plan regularly.
Your organisation may be subject to the Notifiable Data Breach (NDB) Scheme, obliging you to notify individuals whose personal information was compromised due to a data breach. We can help you plan your actions and responses, integrating this into your incident response plan and processes.
We can assist in developing and improving your organisation’s information security capability while ensuring it is appropriate to the size of your organisation and the threats it faces. As part of this engagement, we can help you identify your key information assets as well as help with delivery of key policy framework documents.
If your organisation is already compliant (or needs to be compliant) with other information security standards (such as ISO/IEC 27001, PCI DSS or ISM), we can also help you align these standards with your CPS 234 requirements.
Our C-Level Executive Briefings are designed to assist executives of APRA-regulated entities in discerning the requirements of the CPS 234 Standard and understanding how they apply to their organisation.
Our team can review your existing policy frameworks and policies, align policies with both CPS 234 and other security standards, and lead the full development of policies in conjunction with your internal resources.
We can conduct an information asset audit, complete with identification and prioritisation. Furthermore, our team of specialists can assist in segmenting your environment to ensure cost-effective security management.
We can work with your team to develop an overarching Risk Management framework that enables your organisation to effectively uncover, prioritise and manage risks within core systems.
CPS 234 requires that your internal audit activities include a review of the design and operating effectiveness of information security controls. We can provide this capability to your internal audit team or conduct an internal audit on your behalf.
If your organisation’s information assets are managed by a related party or a third party, we can assist you with your CPS-234 obligations for suppliers and evaluate your supplier’s information security controls in line with APRA standards.
We can assist in implementing a suitable testing program and regime to ensure the effectiveness of security controls.