Unveiling the challenges: APRA Stocktake Exposes 6 Major Gaps to meet CPS234 Compliance

July 31, 2023 • Blog
Posted by
Mark Jones, Senior Partner Capability Solutions & Growth
Share this article

The rise in cybercrime and the increasing sophistication of criminal attacks have exposed major data breaches in some of the world's largest brands. Australia, too, has experienced significant cyberattacks, making them among the country's most notable corporate incidents.

What is CPS234?

The Australian Prudential Regulation Authority (APRA) have created the Prudential Standard CPS 234 - Information Security, which aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.

Part of APRA's 2020-2024 Cyber Security Strategy included a CPS234 tripartite cyber assessment program. This assessment program is the largest study of its kind and involves a compliance assessment of more than 300 banks, insurers, and superannuation trustees by the end of 2023.

CPS234 tripartite assessment

The CPS234 tripartite assessment, following a successful pilot completed in mid-2021 has continued through 2022-23. A summary of the first round of findings from the initial assessments have been released and they show consistent gaps throughout the industry, which were:

  1. Identification and Classification of Information Assets
  2. Information Security Controls of Third Parties
  3. Control Testing Programs
  4. Incident Response Plans
  5. Internal Audit Reviews of Information Security Controls
  6. Notification of Material Incidents and Control Weaknesses

Given the focus areas have been highlighted, there are some steps that can be taken to ensure that you are prepared not only for the tripartite assessment, but also to ensure you have built the right level of governance around the controls to maintain compliance to CPS234.

1: Identification and Classification of Information Assets

To effectively protect critical and sensitive data from unauthorised access or disclosure, it is crucial to establish a robust system for identifying and classifying information assets. The common gaps that could exist in current practices, include the absence of clear classification policies, incomplete asset registers, and insufficient identification of third-party managed assets.

Your approach should include:

  • Reviewing the asset classification policies and methodologies that consider potential impact on security.
  • Review the current implementation of the information asset inventory repository/register, such as a configuration management database (CMDB), for streamlined asset registration and interrelationship mapping.
  • Ensuring that the highest criticality and sensitivity ratings are assigned to information assets based on the constituents they encompass.

2: Information Security Controls of Third Parties

With increasing reliance on third-party service providers, ensuring the adequacy of their information security controls is crucial. Our review will focus on the common gaps such as limited scope in control assessment plans, reliance solely on self-assessment without independent testing, and insufficient testing evidence retention and follow-up.

Your approach should include:

  • Reviewing the existing process that is in place to ensure the rigor of testing is based on the information assets managed by third parties.
  • Assessing the third-party assessment process in place include a combination of interviews, surveys, testing, certifications, contractual reviews, attestations, referrals, and independent assurance assessments.
  • Addressing how the output of the assessment process is tracked and managed to mitigate potential risks.

3: Control Testing Programs

To achieve a robust cybersecurity framework, a systematic testing program is essential. Our evaluation will focus on the potential gaps which may include incomplete testing programs, lack of independence, inconsistency in testing procedures, and inadequate retention of evaluation evidence.

Your approach should include:

  • Reviewing the approach and effectiveness of the testing schedule and approaches to ensure all key controls are covered.
  • Reviewing the assessment methodologies and success criteria, including requirements for re-testing.
  • Reviewing the resource approach to ensure it includes appropriately skilled and independent specialists who possess no operational responsibility for the controls being validated.

4: Incident Response Plans

Preparedness for information security incidents is critical. However, many incident response plans lack completeness, regular testing, and thorough review.

Your approach should include:

  • Ensuring incident response plans, including those managed by third parties, are comprehensive and undergo annual testing to ensure ongoing suitability.
  • Review the details and applicability of playbooks to ensure they cover a range of plausible disruption scenarios and provide clarity regarding roles and responsibilities during incidents.

5: Internal Audit Reviews of Information Security Controls

Internal audit activities must include a comprehensive review of information security controls, including those maintained by third parties. Our review will focus on how internal audit are performed and support the control environment.

Your approach should include:

  • Review of the targeted audit areas and how material impacts in case of an information security compromise and limited reliance on other control testing.
  • Reviewing the scope and quality of testing conducted by other areas and third parties to determine the degree of reliance that can be placed upon it.
  • Review the reporting process for any material deficiencies or lack of assurance to the Board

6: Notification of Material Incidents and Control Weaknesses

It is essential to establish a consistent and effective process for identifying, defining, and reporting material incidents and control weaknesses to APRA.

Your approach should include:

  • How the APRA notification requirements are incorporated into entity policies.
  • How reporting obligations are incorporated in contracts with critical third parties.
  • Reviewing the criteria to identify material incidents and control weaknesses.

How we can help

To help our clients get prepared for the assessments and help improve the underlying controls required for CPS234 we have built a specific offering called “CPS234 Audit Readiness Assessment”. This assessment will include a comprehensive assessment of the areas outlined above. Any findings will include detailed remediation actions to address any identified gaps and ensure compliance with the CPS234 requirements.

Contact us
to book some time with to discuss how we can help with your CPS234 requirements.

Contact us

Speak with a Tesserent
Security Specialist

Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.

Let's Talk
Tess head 7 min