Just over a year ago, on July 1, 2019, the Australian Prudential Regulation Authority’s (APRA’s) Prudential Standard CPS 234 Information Security became effective. This standard is a set of legally enforceable information security requirements for APRA-regulated entities. CPS 234 aims to:
“…ensure that an APRA regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”
With CPS 234 now in effect for more than a year, the AWS User Guide to Financial Services Regulations & Guidelines in Australia has been reviewed and updated.
Previously, the section on CPS 234 Information Security focused on how customers could understand how AWS meets its below-the-line requirements. We’ve built on this section to give guidance to customers on how to approach meeting their above-the-line responsibilities with respect to CPS 234.
A particular area of focus is CPS 234’s “APRA Notification” section, which deals with requirements for APRA-regulated entities to notify APRA in the event of an actual or suspected information security incident, or upon discovery of a material security control weakness. APRA’s notification requirements have been a significant source of questions from AWS customers. The AWS User Guide includes comprehensive guidance to help customers understand how they can meet APRA’s notification requirements.
As the regulatory environment continues to evolve, we’ll provide further updates on the AWS Security Blog and the AWS Compliance page. You can find more information on cloud-related regulatory compliance at the AWS Compliance Center. You can also reach out to your AWS account manager for help finding the resources you need.
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.