CPS 234 has been in effect since 1 July 2019. The first step to see if CPS 234 applies to you is to see if you’re an Australian Prudential Regulation Authority (APRA) regulated entity by visiting APRA’s website.
Before taking steps to become compliant you may want to consider the following:
- How will my organisation be impacted by a loss of availability, confidentiality, or integrity of the software, hardware and data?
- Do we have a plan in place and are we able to detect and respond to an actual compromise of our software, hardware and data?
- Is your organisation conducting regular audits for internal security controls effectiveness? If not, can you conduct regular audits?
- How strong is your organisation’s incident response plan?
Any incident that can potentially affect your organisation, customers or beneficiaries must now be reported to APRA in 72 hours or less, and needs to cover all possible incidents with a tailor-made response. They can’t be generic and incident exercices are now a mandatory requirement.
Moving forward, if you’re an APRA regulated entity everyone needs to know their responsibilities to securing data and responsibilities need to be documented. Entities need to have a plan in place and trained professionals like Vertex Securities can help you with this plan. It depends upon your type of data, the risks, common threats and many other factors.
APRA must now be informed of any data breach or compromise. Learn about all of the CPS 234 requirements on the APRA website.
