APRA unveils unified CPS 001 standard for financial institutions

APRA unveils unified CPS 001 standard for financial institutions

APRA unveils unified CPS 001 standard for financial institutions | Insurance Business Australia

Insurance News

APRA unveils unified CPS 001 standard for financial institutions

Update aims to enhance regulatory clarity and compliance

Insurance News

By
Roxanne Libatique

The Australian Prudential Regulation Authority (APRA) has announced the completion of its new cross-industry Prudential Standard CPS 001 Defined Terms (CPS 001).

This initiative consolidates existing standards related to definitions applicable to authorised deposit-taking institutions, general insurers, life insurers, and private health insurers.

Consolidation of prudential definitions

The draft version of CPS 001 was released on Nov. 27, 2023, inviting industry consultation. APRA has now finalised the standard, incorporating industry feedback.

CPS 001 merges five previous standards into a single, unified document without altering existing definitions.

The standard eliminates outdated terms, addresses redundancies, and includes new definitions for “general provisions” and “specific provisions,” previously communicated via letters. Additionally, each term is now explicitly linked to the relevant sectors.

This standard supports APRA’s digital Prudential Handbook, launched in June 2024. The handbook serves as a comprehensive resource for regulated entities, simplifying access to definitions and their application within the prudential framework.

The combination of CPS 001 and the handbook is expected to enhance regulatory clarity and compliance.

Industry consultation and feedback on CPS 001

During the consultation phase, APRA received three submissions, which endorsed the consolidation of the existing standards.

The respondents also identified opportunities for further refinement, including better alignment of definitions across the prudential framework and with legal terminology, as well as expanding the consistent application of terms across various industries.

See also  New MGA launches with focus on transaction liability

Future considerations regarding CPS 001

APRA acknowledged the potential for further refining definitions to improve consistency within the prudential framework. The feedback received during the consultation will inform ongoing efforts to streamline regulatory language.

CPS 001 will serve as a central glossary, fostering more consistent use of terms across the industry.

This guidance is part of the regulator’s ongoing efforts to strengthen cyber resilience across its regulated entities in response to the persistent threat of cyberattacks.

Key cybersecurity deficiencies

APRA’s latest guidance identified three primary areas of concern:


configuration management
privileged access management
security testing

The regulator has urged entities to reassess their cybersecurity strategies in light of these identified gaps and to take corrective action where necessary to mitigate risks.

Recommendations for enhancing cybersecurity

APRA’s recommendations included maintaining secure and up-to-date configurations for IT assets, particularly as new security threats emerge.

The guidance emphasised the need for robust change management processes to ensure configurations remain consistent, aligning with the principles in Prudential Practice Guide CPG 234 Information Security (CPG 234).

For privileged access management, APRA highlighted the necessity of accurate record-keeping for privileged accounts and ensuring that access to critical systems is tightly controlled and justified by business needs. The guidance also stressed the importance of secure storage for access credentials.

The regulator observed that many entities have limited their security testing to a small subset of IT assets, potentially leaving other areas vulnerable. It recommended a more comprehensive approach to security testing, using a range of methodologies consistent with current industry practices.

See also  Ambac finalizes swoop for Beat Capital Partners

Entities are reminded of the requirement to report any cybersecurity deficiencies that could significantly affect their risk profile, as mandated under paragraph 36 of CPS 234.

APRA continues to encourage entities to conduct regular self-assessments and to adopt best practices as outlined in CPG 234. It also recommended leveraging the Essential Eight framework for mitigation strategies.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!