APRA has now begun issuing notices to regulated financial institutions advising them to start preparing for CPS 234 tripartite reviews.
Contents

The reviews are part of APRA’s four year strategy to increase the rigor of compliance of CPS 234: Information Security and require the Board of regulated entities to engage third party independent Auditors to undertake a thorough CPS 234 compliance audit with the results reported not only to the Board, but also directly to APRA.

The audits are expected to take around three months and will need to be completed by September 2022. We can assist you in performing these reviews.

Our team have already had exposure to a number of completed tripartite reviews and tripartite readiness reviews as part of the pilot series. We can also provide assistance in developing and enhancing your approach to CPS 234 compliance in order to be better prepared against cyber threats and to better meet the changing regulatory requirements.

Early feedback from APRA’s tripartite reviews suggest that all Financial Services organisations should consider what an ongoing assurance roadmap for CPS 234 compliance will look like going forward for FY22 and beyond.

Below are some key areas that financial institutions should start considering:

  • Has your organisation identified and documented your information security controls (rather than testing against the APRA standard)?
  • Have you implemented an annual plan for testing controls?
  • Does your internal audit form clear conclusions on design and operating effectiveness (OE) of controls?
  • Does your internal audit plan demonstrate that comprehensive assurance over information security risk is achieved over time and testing is triggered by risks or changes to the IT environment?
  • Do you have clarity over the information assets and the controls that are required to protect them?
  • Do you have visibility over compliance around third-parties and key suppliers?
  • Does your Board reporting process demonstrate how it expects to be engaged with in respect to information security, including the escalation of risks, issues and vulnerabilities?
  • Have you considered the expertise and qualifications of personnel conducting information security control testing and performing internal audits under this standard?