The APRA Prudential Standard CPS 234 came into force on 1st July 2019, yet many organizations are feeling the strain of getting themselves prepared. This standard will fill gaps in existing prudential framework and elevates the existing practice guide. It will make protection levels more stringent as regulated entities will have to demonstrate compliance with the standard rather than just following the guidance.
The APRA Prudential Standard CPS 234 applies to all “APRA-regulated entities”. They need to demonstrate the maintenance of an information security capability that aligns with the vulnerabilities and threats to which its information assets are exposed and enables the continued operation of the entities.
This fact sheet outlines:
- Australian APRA Prudential Standard CPS 234 overview
- Key changes with CPS 234
- How to secure your sensitive data
- How Fortra's Classifier Suite can help
Protecting the Sensitive Data of Australian Citizens
With the financial sector under ever-increasing cyber-attack, the Australian Prudential Regulation Authority (APRA) has released the Prudential Standard CPS 234 in response. This ensures that APRA-regulated entities have established sufficient protections to guarantee information security.
Regulated entities – which include banks, neobanks, credit unions, insurers, superannuation funds, private health insurance companies, and non-operating holding companies – must now demonstrate compliance with the standard rather than just following the guidance. The responsibility for this lies with the board of an APRA-regulated entity.
Organizations must demonstrate the maintenance of an information security capability that aligns with the vulnerabilities and threats to which their information assets are exposed and enables the continued operation of the entities. APRA CPS 234 strongly focuses on identifying and managing information assets – i.e. corporate data.
There is no need for any organization to wait - determining the risks to be managed, understanding what data needs to be protected, starting to secure it, and putting resources and policies in place. The best place to start is always with data classification.
The cost of non-compliance with APRA CPS 234 is measured in terms of reputation loss and damage to the brand – no organization wants to be known for not taking appropriate care of private and personal information. Additionally, the regular data protection audits recommended in the regulation make it more likely that incidences of non-compliance will get noticed.
The First Steps When Securing Your Sensitive Data
The first step in using a data classification approach to ensure compliance is understanding all the personal or sensitive data you hold and the potential risks to its security.
You should to ask:
- What data do you already hold?
- What data is being collected, and from where?
- Where is it being stored and processed?
- Why do you have it?
- How sensitive is it?
- How is it accessed, used or shared, internally or externally?
The data should then be classified or tagged according to its sensitivity. Once you have singled out the most confidential information, you can determine what higher-grade controls should be applied to ensure it is sufficiently protected.
Data Classification and a Culture of Compliance
The sheer volume of unstructured data in financial firms, combined with hackers' growing professionalism and technical abilities to breach perimeters, make it impossible to rely on people and processes alone to manage sensitive personal data appropriately.
Data classification embeds a culture of compliance in an organization, involving users in identifying, managing and controlling regulated data while automating parts of the protection process to enforce rules and policies consistently.
Classifying data as a first step in addressing CPS 234 will enable the protection strategy and solutions you implement to be built around the types of data you have, and the levels of security they require.
CPS 234 encourages good security practices within financial institutions and has put the main responsibility and accountability onto the board. In the face of such a varied attack landscape, in a sector where digital platforms are now the norm, this is to be welcomed. But compliance with CPS 234 can be a challenge. That's why the right data classification tool can be your organization's most effective tool for CPS 234 compliance.