The Australian Prudential Regulation Authority (APRA) has announced the completion of its new cross-industry Prudential Standard CPS 001 Defined Terms (CPS 001).
This initiative consolidates existing standards related to definitions applicable to authorised deposit-taking institutions, general insurers, life insurers, and private health insurers.
APRA outlined its responses to feedback from the November 2023 consultation process in a recent letter and published the finalised version of CPS 001. The new standard is set to take effect on Oct. 1, 2024.
The draft version of CPS 001 was released on Nov. 27, 2023, inviting industry consultation. APRA has now finalised the standard, incorporating industry feedback.
CPS 001 merges five previous standards into a single, unified document without altering existing definitions.
The standard eliminates outdated terms, addresses redundancies, and includes new definitions for “general provisions” and “specific provisions,” previously communicated via letters. Additionally, each term is now explicitly linked to the relevant sectors.
This standard supports APRA’s digital Prudential Handbook, launched in June 2024. The handbook serves as a comprehensive resource for regulated entities, simplifying access to definitions and their application within the prudential framework.
The combination of CPS 001 and the handbook is expected to enhance regulatory clarity and compliance.
During the consultation phase, APRA received three submissions, which endorsed the consolidation of the existing standards.
The respondents also identified opportunities for further refinement, including better alignment of definitions across the prudential framework and with legal terminology, as well as expanding the consistent application of terms across various industries.
APRA acknowledged the potential for further refining definitions to improve consistency within the prudential framework. The feedback received during the consultation will inform ongoing efforts to streamline regulatory language.
CPS 001 will serve as a central glossary, fostering more consistent use of terms across the industry.
APRA also recently issued new guidance aimed at addressing common cybersecurity vulnerabilities within the Australian financial services sector.
This guidance is part of the regulator’s ongoing efforts to strengthen cyber resilience across its regulated entities in response to the persistent threat of cyberattacks.
APRA’s latest guidance identified three primary areas of concern:
The regulator has urged entities to reassess their cybersecurity strategies in light of these identified gaps and to take corrective action where necessary to mitigate risks.
APRA’s recommendations included maintaining secure and up-to-date configurations for IT assets, particularly as new security threats emerge.
The guidance emphasised the need for robust change management processes to ensure configurations remain consistent, aligning with the principles in Prudential Practice Guide CPG 234 Information Security (CPG 234).
For privileged access management, APRA highlighted the necessity of accurate record-keeping for privileged accounts and ensuring that access to critical systems is tightly controlled and justified by business needs. The guidance also stressed the importance of secure storage for access credentials.
The regulator observed that many entities have limited their security testing to a small subset of IT assets, potentially leaving other areas vulnerable. It recommended a more comprehensive approach to security testing, using a range of methodologies consistent with current industry practices.
Entities are reminded of the requirement to report any cybersecurity deficiencies that could significantly affect their risk profile, as mandated under paragraph 36 of CPS 234.
APRA continues to encourage entities to conduct regular self-assessments and to adopt best practices as outlined in CPG 234. It also recommended leveraging the Essential Eight framework for mitigation strategies.
