Financial data is among the most sensitive information an organization can possess, yet its use is essential to the health of global markets. It’s no secret, therefore, that data security in financial services is a highly scrutinized topic – and one that is subject to a plethora of data compliance regulations.
The Australian Prudential Regulation Authority (APRA) is the regulating body for financial institutions in Australia, and is one source of such compliance requirements. In recent years, it has promulgated several cross-industry publications that create stricter standards concerning data privacy and information security requirements. But understanding these standards and ensuring they are effectively implemented can be difficult in the fast-paced world of financial services. So, what can Australian organizations do to keep up?
Below are the basics you need to know about the APRA, and the guidelines it introduces in CPS 234, CPG 234, and CPG 235.
What Is the APRA?
The APRA was established by the Australian government in 1998 to supervise institutions across banking, insurance, and superannuation, and promote financial system stability in Australia. Its main purpose is to provide consumers with a reasonable level of trust in their banking institutions.
Who Must Comply with APRA Regulations?
The APRA regulates:
- authorized deposit-taking institutions (such as banks, building societies, and credit unions)
- general insurers
- life insurers
- friendly societies
- private health insurers
- reinsurance companies
- superannuation funds (other than self-managed funds)
While some regulations promulgated by the APRA are industry-specific, many – including CPS 234, CPG 234, and CPG 235 – are cross-industry standards that apply to all entities under the APRA’s authority.
What Is CPS 234?
CPS 234 is a mandatory information security standard that took effect in 2019. Its goal is to ensure the resiliency of APRA-regulated entities in the face of ever-increasing cyber threats and attacks. As financial institutions are high-risk targets due to the amount and type of data they store and process, the standard requires regulated entities to maintain information security capabilities proportional to the threats and vulnerabilities they face, including information asset classification and incident detection.
What Is CPG 234?
CPG 234 is the associated guide to CPS 234, and while it does not contain mandatory requirements, it provides recommendations for how regulated entities can comply with the mandatory requirements in CPS 234. Many of its recommendations are aligned with industry best practices, such as implementing key information security principles (e.g. least privilege). However, they may not be relevant to every entity, depending on its size and nature. Regulated entities have the flexibility under CPG 234 to meet standard requirements in the manner best suited to their needs.
What Is CPG 235?
CPG 235 is a published guide aimed at assisting APRA-regulated entities with managing data risk. Though not associated with a specific mandatory standard, effective governance of data risk management would be aligned to the broader corporate governance framework. Similar to CPG 234, entities are free to adopt practices that comport with their business needs while satisfying regulatory requirements.
Consequences of Non-Compliance
CPS 234 does not have stated consequences for violations of its requirements. However, non-compliance with APRA standards is a very serious matter that the APRA can choose to handle in various ways depending on the severity of the violation. In most situations, the APRA reacts to minor violations with non-formal enforcement tools, such as additional reporting requirements or on-site reviews. These tools are used most frequently when regulated entities are open and cooperative. If a violation is more serious or an entity is uncooperative, the APRA can opt to rely on its more formal powers. This includes injunctive declarations, civil proceedings, operational conditions, or referring matters for criminal prosecution. Individuals can also be disqualified from holding a senior role in APRA-regulated entities.
Immuta’s Data Security Platform is able to aid APRA-regulated entities with compliance of several key regulatory requirements through sensitive data discovery and classification, data access control and security implementation, and data monitoring and detection.
For more detailed information on how Immuta can help, refer to the Immuta and Australian Prudential Standards solution brief.
