AWS Security Blog

New guidance to help you navigate Australian Prudential Regulation Authority requirements

There have been two noteworthy 2019 updates for Australian Prudential Regulation Authority (APRA) regulated entities such as banks, insurance companies, credit unions, deposit takers, and the superannuation industry.

On June 25, APRA released an updated version of the Prudential Practice Guide CPG 234 Information Security, which provides guidance on how to implement the revised Prudential Standard CPS 234 Information Security. The new Prudential Practice Guide has been expanded significantly compared to the previous version. The revised guidance reflects the evolving cybersecurity landscape and focuses on areas of importance to APRA regulated entities.

On July 1, APRA’s Prudential Standard CPS 234 Information Security became effective. This standard represents a set of legally enforceable information security requirements for APRA regulated entities. CPS 234 aims to:

“…ensure that an APRA regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”

In response to these updates, we have updated our AWS User Guide to Financial Services Regulations & Guidelines in Australia, which provides APRA regulated entities with a summary of APRA’s requirements, plus recommendations related to outsourcing and IT risk in the cloud. In addition to introducing the shared responsibility model, AWS Compliance Assurance Programs, and the AWS Global Infrastructure, our user guide summarizes four APRA documents that regulated entities should be aware of: APRA’s Prudential Standard CPS 231 Outsourcing, Information Paper on Outsourcing Involving Cloud Computing Services, CPS 234 Information Security, and the updated CPG 234 Information Security.

To assist our customers in meeting the updated recommendations in CPG 234 Information Security, we’ve also updated the APRA CPG 234 Workbook. The workbook is available for download through AWS Artifact (you’ll need an AWS account). Our updates reflect the revised content in APRA’s guidance, and the workbook now includes guidance on how to meet CPG 234’s recommendations for security “IN the cloud” by mapping to the five pillars of the AWS Well-Architected Framework.

As the regulatory environment continues to evolve, we’ll provide further updates on the AWS Security Blog and the AWS Compliance page. The user guide and workbook add to the resources AWS provides about financial services regulation across the world. You can find more information on cloud-related regulatory compliance at the AWS Compliance Center. You can also reach out to your AWS account manager for help finding the resources you need.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.


Paul Curtis

As an FSI Compliance Specialist in the Global Financial Services Industry Team, Paul works with financial organisations, supporting their risk management and compliance functions. He works with our customers’ risk teams to help them manage their technology risk in a scalable way that unlocks their ability to realize cloud benefits. Paul has over fifteen years of experience working in risk and technology across the financial services industry in Australia, Southeast Asia and South Africa. Paul holds an MBA (Corporate Governance) and is a Graduate member of the Australian Institute of Company Directors.