The Australian Prudential Regulation Authority (APRA) has released its final deadline for all remaining regulated entities to submit their CPS 234 tripartite assessments, as well as outlining its core enforcement and supervision priorities for the year ahead.
The prudential regulator has called for all remaining CPS 234 tripartite assessments to be submitted to it within the next six months (by end of June 2024) – nearly three years after the conclusion of the information security assessment program’s initial pilot phase.
Outlined as part of its 2020-2024 Cyber Security Strategy, the one-off tripartite assessments require regulated entities to engage an independent auditor to report on their compliance against CPS 234 – Information Security.
CPS 234, which will remain a core focus for the regulator over the next six months, requires regulated entities to maintain adequate prevention, detection and response capabilities against information security vulnerabilities and threats.
The first tranche of the tripartite assessments, which concluded at the end of 2022 with 80 organisations (representing a quarter of APRA’s regulated entities), identified several control gaps among submitting entities, including:
- incomplete identification and classification for critical and sensitive information assets;
- limited assessment of third-party information security capability;
- inadequate definition and execution of control testing programs;
- incident response plans not regularly reviewed or tested;
- limited internal audit review of information security controls; and
- inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.
APRA noted that, post-assessment, “where entities are found to have significant vulnerabilities”…[it] may intensify supervision, require root cause analysis, request remediation plans, and consider enforcement action”.
Additionally, with prudential Standard CPS 230 – Operational Risk Management set to come into force from 1 July 2025, regulated entities have been urged to take “practical steps” to ensure compliance, “such as identifying critical operations and material service providers and building organisational awareness”.
Regulated entities can, APRA said, expect further engagements on operational resilience through 2024 to assist readiness with these operational resilience standards, including a series of information roundtables.
“This includes updated finalised guidance supported by meetings with selected entities and webinars to assess and assist readiness.”
The regulator said it also plans to finalise the associated prudential practice guide (CPG 230) in the first half of 2024 to support the transition to the new operational risk requirements.
Further, APRA said that it will continue “to ensure that all regulated entities operate with strong control frameworks, effective business continuity plans, and only rely on service providers where they are confident robust arrangements are in place.”
