Unpacking CPS 234 information security
BY , ,  |  

A complex web of cyber security obligations has been created for the superannuation industry with the advent of a recent prudential standard in regard to information security. Many funds are struggling to develop strategies to address what is now required.

APRA's cross-industry Prudential Standard 234 Information Security (CPS 234) applies to, among others, all RSE (Registrable Superannuation Entities) licensees under the Superannuation Industry (Supervision) Act 1993.

The standard commenced on 1 July 2019, and all information assets managed by third parties must comply with CPS 234 by the earlier of 1 July 2020, or the date when an information technology provider's contact is renewed. So, what are some practical measures that funds and trustees can take to ensure compliance with CPS 234?

What is CPS 234?

Introduced to ensure that APRA-regulated entities adopted appropriate resiliency measures against security incidents (including cyber-attacks), CPS 234 requires such organisations to maintain an information security capability commensurate with their profile, relevant vulnerabilities and likely threats. Entities must also have the capability to respond swiftly and effectively in the event of a data breach. The standard builds on APRA's recent work in cloud outsourcing practices, Prudential Standard CPS 231 Outsourcing and CPS 232 Business Continuity.

CPS 234 adopts a risk principle approach to cyber security and goes beyond box-ticking compliance approaches. The standard provides that the board of an APRA-regulated entity is ultimately responsible for that entity's information security capability; for superannuation funds, this means the trustee directors. CPS 234 requires trustees to implement cyber risk identification practices and develop an information security capability that manages the size and extent of likely information assets threats.

The standard contains onerous incident reporting obligations, and trustees must notify APRA as soon as possible and within 72 hours of experiencing an information security incident that 'materially affects or has the potential to materially affect' the entity or members or has been notified to other regulators. They must also notify APRA within 10 business days after becoming aware of a material information security control weakness that cannot be remediated in a timely manner.

Link to something sYgzpkAZ