RSM Australia

CPS 234 - Opportunity for third parties with strong information security controls

Information security under CPS 234

From 1 July 2019, the boards of the Australian Prudential Regulation Authority (APRA) and regulated entities will be held accountable in the event of a cyber security incident by the new Information Security Prudential Standard (CPS 234). 

It is important to minimise the likelihood and impact of information security incidents on the confidentiality, integrity and availability of information assets, including information assets managed by related parties or third parties.

Related parties and third partiesCPS 234

CPS 234 also mandates that as of 1 July 2020, any related/third parties who manage the information of an APRA-regulated entity must also adhere to CPS 234. 

An APRA-regulated entity’s information assets may be managed by a wide range of related/third parties. APRA-regulated entities are working to identify these relationships and mandate security controls to address third party risks to their information assets. Evaluation of related/third related parties can be through a combination of interview, survey, control testing, certifications, contractual review, attestations and independent assurance assessments.

Compliance is often viewed as a process that is troublesome, time-consuming and a ‘check-box’ exercise. APRA-regulated entities will likely use CPS 234 to consolidate providers, so compliance should be used as an opportunity for competitive advantage against those who have not been proactive, to optimise their security posture prior to the due date. 

Are you a ‘third party’ managing the information of an APRA-regulated entity?

If so, it is time to act now. Third party CPS 234 compliance is required by either the next renewal date of the contract, or 1 July 2020, whichever is earliest. Consideration will need to be given to all facets of the third-party lifecycle – onboarding, ongoing relationship management, and termination, and should include information security risk profiling and information security due diligence.

It is important to understand all the requirements listed in CPS 234, and those in the Prudential Practice Guide CPG 234 Information Security, to identify potential areas of non-compliance, including:

  • Defined security-related roles and responsibilities
  • Security capability aligned to threats to information assets
  • Implemented security controls to protect information assets, aligned to criticality of information assets
  • Regular systematic testing and assurance
  • Mechanisms to detect and respond to security incidents, with notification to APRA of (potential) material security incidents (72 hours)

As APRA-regulated entities will now be looking to evaluate their third parties against these requirements, it is critical to address any compliance gaps prior to the contract renewal date, or July 1 2020, in order to ensure the contractual relationship is maintained. You also need to assess the sub-contracting/on-sourcing arrangements that you use, as these also need to be compliant.

For more information

If you have any questions or require further information, please contact us today.


Darren Booth
National Head of Security and Privacy Risk Services

Subscribe to Risk Insider to stay up to date with the latest in Technology, Fraud and Security.