Navigating APRA’s CPS 234: A Universal Metric


In an era where digital innovation has become the lifeblood of businesses, cybersecurity has taken center stage in the corporate world. The Australian Prudential Regulation Authority (APRA) recognized this need and introduced CPS 234, a regulation that puts cybersecurity at the forefront of APRA-regulated entities.

APRA is currently conducting an independent tripartite cyber assessment of compliance with CPS234, which took effect in 2019. This exercise involves more than 300 banks, insurers and superannuation trustees.

As of 5th July 2023, ~24% of regulated entities have been assessed in the first tranche. Six common gaps were identified:

  • incomplete identification and classification for critical and sensitive information assets;
  • limited assessment of third-party information security capability;
  • inadequate definition and execution of control testing programs;
  • incident response plans not regularly reviewed or tested;
  • limited internal cybersecurity audit review of information security controls; and
  • inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.

As a cyber risk management organization, and pioneer of the security ratings industry, Bitsight allows a scalable and effective means to support an organization's CPS 234 compliance needs, offering compelling context and objective continuous monitoring of your organization’s security performance, effectiveness of controls. This oversight could be extended to your third-party ecosystem too, allowing for collaborations leading to performance improvements and assurances for key stakeholders.

If you are not already familiar with APRA CPS 234, here’s a quick recap:

1. What is CPS 234, and why does it matter?

CPS 234 is APRA's response to the escalating cybersecurity threats faced by financial institutions in Australia. Introduced in July 2019, it places stringent obligations on these institutions and its Board to ensure the confidentiality and integrity of their data. The ultimate goal? To protect the interests of depositors and policyholders.

2. How does CPS 234 affect your company?

Understanding how CPS 234 applies to your organization is paramount. It primarily impacts authorized deposit-taking institutions (ADIs), insurers, and registrable superannuation entity (RSE) licensees. If your business falls into any of these categories, CPS 234 is not optional; it's a mandate that must be addressed.

APRA recently imposed an increase of $250 million capital adequacy requirement against Medibank on 27th July 2023 as a consequence of the major cyber incident in October 2022.

3. What are the key requirements of CPS 234?

CPS 234 imposes several key requirements on affected organizations. These include:

  • a. Information Security Framework - The establishment of an information security framework tailored to your organization's specific risk profile and technology environment.
  • b. Data Classification - A robust data classification mechanism to ensure sensitive data is appropriately protected.
  • c. Incident Response Plan - Comprehensive incident response plans for rapid and effective response to cybersecurity incidents.
  • d. Testing and Assurance - Regular testing and assurance activities to validate the effectiveness of your cybersecurity measures.
  • e. Supplier Security - Ensuring your third-party suppliers meet the same high standards of cybersecurity that CPS 234 mandates.

4. What happens if you fail to comply with CPS 234?

APRA has made it clear that non-compliance with CPS 234 can lead to significant consequences, including increased capital adequacy requirements and damage to an organization's reputation.

How can Bitsight enable you?

As an integrated cyber risk management solution, Bitsight allows you to collaborate internally and externally using a single universal standard based on objective data. This metric is the most validated risk rating by industry leaders, backed by enriched data combined with human curation and a transparent calculation methodology.

Bitsight analytics, supporting Security Performance Management (SPM) and Third-Party Risk Management, empower security leaders to confidently and continuously execute:

A. Risk Assessment

As part of comprehensive vendor risk assessments, you can complement security questionnaires with Bitsight data to validate responses. Plus continuously monitor changes to cyber risk postures to understand your organization's security gaps, vulnerabilities, and attack surface—and those of your third parties— non-intrusively in a highly scalable fashion, which allows for the creation of comparable, reliable insights and metrics.

B. Gap Analysis

By mapping Bitsight risk vectors to industry standards, you can identify gaps between your current cybersecurity posture and chosen cybersecurity framework. You would also be able to apply the same assessments across your third party ecosystem.

C. Security Policies and Procedures

Introduce efficiency to your existing operations and workflows across risk, performance, and exposure management to reduce costs. Determine gaps and inaccuracies in the security programs of your organization and your third parties, and work collaboratively with your vendors to address them.

D. Objective Risk and Performance Metrics

Cybersecurity analytics empower you to deliver continuous improvements to security controls and develop strategies to mitigate risks rather than whack-a-mole reactions. With capabilities like risk forecasting, attack surface analytics, prescriptive remediation plans, and financial quantification, you can manage cyber risk management activities, hit KPIs, and deliver assurance of a strong security program to stakeholders.

Navigating the complex landscape of cybersecurity regulations with Bitsight

Complying with regulations like CPS 234 is no small feat, especially amid the enforcement of new regulations across the globe such as that of the SEC in the US, or DORA and PS21/3 in Europe. Many cybersecurity leaders are embracing these initiatives as strategic advancement to cement their critical role in the business.

Bitsight ratings and analytics enable business leaders to understand their organization’s security performance across 23 different risk vectors, and whether that performance is aligned with industry standards of care, such as those posed by APRA’s CPS 234. Capabilities like Bitsight Peer Analytics allow CISOs to analyze their organization’s performance against industry and sector peers of their choosing. Bitsight delivers a quantitative, objective analysis of organizational cybersecurity performance compared to tens, hundreds, thousands, or even hundreds of thousands of peers, all immediately available.

Having a scalable and reliable program that is built with a validated metric, allows you to confidently provide assurance to your stakeholders. With Bitsight’s continuous and objective means of monitoring your third parties and your own organization's cybersecurity risk posture, you are well-placed to fulfill APRA's CPS234’s key objective of minimizing the likelihood and impact of security incidents.