APRA unveils unified CPS 001 standard for financial institutions
APRA unveils unified CPS 001 standard for financial institutions | Insurance Business Australia
Insurance News
APRA unveils unified CPS 001 standard for financial institutions
Update aims to enhance regulatory clarity and compliance
Insurance News
By
Roxanne Libatique
The Australian Prudential Regulation Authority (APRA) has announced the completion of its new cross-industry Prudential Standard CPS 001 Defined Terms (CPS 001).
This initiative consolidates existing standards related to definitions applicable to authorised deposit-taking institutions, general insurers, life insurers, and private health insurers.
Consolidation of prudential definitions
The draft version of CPS 001 was released on Nov. 27, 2023, inviting industry consultation. APRA has now finalised the standard, incorporating industry feedback.
CPS 001 merges five previous standards into a single, unified document without altering existing definitions.
The standard eliminates outdated terms, addresses redundancies, and includes new definitions for “general provisions” and “specific provisions,” previously communicated via letters. Additionally, each term is now explicitly linked to the relevant sectors.
This standard supports APRA’s digital Prudential Handbook, launched in June 2024. The handbook serves as a comprehensive resource for regulated entities, simplifying access to definitions and their application within the prudential framework.
The combination of CPS 001 and the handbook is expected to enhance regulatory clarity and compliance.
Industry consultation and feedback on CPS 001
During the consultation phase, APRA received three submissions, which endorsed the consolidation of the existing standards.
The respondents also identified opportunities for further refinement, including better alignment of definitions across the prudential framework and with legal terminology, as well as expanding the consistent application of terms across various industries.
Future considerations regarding CPS 001
APRA acknowledged the potential for further refining definitions to improve consistency within the prudential framework. The feedback received during the consultation will inform ongoing efforts to streamline regulatory language.
CPS 001 will serve as a central glossary, fostering more consistent use of terms across the industry.
This guidance is part of the regulator’s ongoing efforts to strengthen cyber resilience across its regulated entities in response to the persistent threat of cyberattacks.
Key cybersecurity deficiencies
APRA’s latest guidance identified three primary areas of concern:
configuration management
privileged access management
security testing
The regulator has urged entities to reassess their cybersecurity strategies in light of these identified gaps and to take corrective action where necessary to mitigate risks.
Recommendations for enhancing cybersecurity
APRA’s recommendations included maintaining secure and up-to-date configurations for IT assets, particularly as new security threats emerge.
The guidance emphasised the need for robust change management processes to ensure configurations remain consistent, aligning with the principles in Prudential Practice Guide CPG 234 Information Security (CPG 234).
For privileged access management, APRA highlighted the necessity of accurate record-keeping for privileged accounts and ensuring that access to critical systems is tightly controlled and justified by business needs. The guidance also stressed the importance of secure storage for access credentials.
The regulator observed that many entities have limited their security testing to a small subset of IT assets, potentially leaving other areas vulnerable. It recommended a more comprehensive approach to security testing, using a range of methodologies consistent with current industry practices.
Entities are reminded of the requirement to report any cybersecurity deficiencies that could significantly affect their risk profile, as mandated under paragraph 36 of CPS 234.
APRA continues to encourage entities to conduct regular self-assessments and to adopt best practices as outlined in CPG 234. It also recommended leveraging the Essential Eight framework for mitigation strategies.
Related Stories
Keep up with the latest news and events
Join our mailing list, it’s free!