How insurers stay APRA compliant with GraphQL security

Back to blog

CPS 234 no barrier to insurance embracing cloud and open source software


The Australian Prudential Regulation Authority (APRA)'s Prudential Standard CPS 234 - Information Security breaks down the barriers to cloud computing and open-source software like GraphQL, rather than imposing impossible demands on the financial ecosystem.


Cyber attacks are becoming increasingly sophisticated as bad actors evolve to compromise systems, networks and data. Financial services, including insurance, are a key target for hackers looking for a payday, as the sector embraces technology to keep up with consumer expectations and drive efficiencies.


The release of a 5-year cybersecurity strategy from the Australian Prudential Regulation Authority (APRA) late last year put the spotlight on how regulated entities manage information security; the industry is on notice that self-regulation is no longer enough.


While security can be seen as a barrier for the uptake of open-source software that powers data retrieval, such as GraphQL, APRA’s updated Prudential Standard CPS 234 - Information Security, confirms that open source and cloud computing are not singled out as industry issues; when implemented correctly they may, in fact, be the enablers of next-level information security and compliance.

The buck stops with Boards as major security breach a “matter of time”

When APRA’s Executive Board Member Geoff Summerhayes addressed the Financial Services Assurance Forum in November 2020, he described it as a “matter of time” before an APRA-regulated bank, insurer or superannuation fund suffered a material cyber breach. An interconnected financial system raises the possibility that a major incident for an enterprise can cascade from the initial target through to their entire digital ecosystem; systems are only as secure as the weakest link in the chain.

By naming the boards of APRA-regulated entities as “ultimately responsible for ensuring that the entity maintains its information security”, APRA has put the onus on them to conduct urgent audits -- led by external experts -- against the CPS 234 prudential standard to ensure compliance.


The time for self-regulation is over

APRA’s concern about organisations self-reporting against CPS 234 is well-founded; over 100 organisations who self-reported compliance were later found to have significant weaknesses. Risk to any regulated enterprise risks the entire Australian financial ecosystem, prompting APRA to warn of increased enforcement of CPS 234 and the consequences of a failure to comply.
APRA's prudential standards are legally binding -- non-compliance can result in penalties covered by federal legislation including the Banking Act 1959 (Cth) and Insurance Act 1973 (Cth).

CPS 234 snapshot: Are you compliant?

  • Notification-to-APRA standards include notification within 10 business days of an information security weakness, and within 72 hours of a security incident
  • The Board is responsible for proactive oversight of information security capability -- including third-party or related parties managing information assets on their behalf
  • Entities must classify information assets by criticality and sensitivity
  • Information security response plans for incident management, from detection to post-incident review, must be reviewed and systematically tested annually
  • Internal audits must be conducted by skilled personnel, review information security controls, and assess third-party information security control assurance

How Unity Cloud’s GraphQL extensions support APRA efforts to mitigate security concerns


Does CPS 234 limit the use of cloud computing or open-source software? The short answer - no.


APRA has acknowledged the importance of directing business operations to the cloud, but CPS 234 demands that shift comes with a parallel increase in managing information security.


Concerns about safety and security for cloud solutions are common. However, industry-leading cloud providers (such as Azure and AWS), employ the world’s experts in this space and offer a level of security and auditability that is hard to attain with on-premise solutions.


GraphQL uptake in large enterprises can hit a barrier when it comes to security: GraphQL alone does not provide security controls -- that’s not its job. Our unique extension architecture via Unity Cloud empowers the capabilities of GraphQL with added security features, including:

  • Role-Based Access Controls (RBAC), which enable a high level of information security - all surface area on the API is automatically secured by default.
  • GraphQL doesn’t blindly trust user data - it validates all data inputs and can be used as a control point for cleansing and ensuring consistency across multiple systems.

Aligning with other data and privacy standards

Security doesn’t have to be a barrier -- meeting your CPS 234 obligations may align your practices for more effective compliance to other privacy laws.

The APRA security standards are more closely aligned with General Data Protection Regulation (GDPR) standards.

GraphQL provides an alternative to accessing multiple legacy systems to respond to customer data requests -- potentially replacing onerous manual processes with a single API query across dozens of core systems.

The new notification-to-APRA obligations also sit alongside the notifiable data breach scheme under the Privacy Act 1988 (Cth). The APRA standard has a broader application across all information assets, not just personal information, meaning CPS 234 compliance is likely to cover off compliance under the Privacy Act.

Balancing compliance with business needs

GraphQL can help meet your CPS 234 compliance obligations when combined with a strong and proven security model -- Codafication’s Unity Cloud platform utilises GraphQL to prioritise security along with productivity and innovation.

Stay compliant and productive with the right tools.

Talk to the GraphQL experts about information management security.

Talk to a GraphQL information security expert
James Pepplinkhouse
Chief Technology Officer at Codafication, the creators of Crunchwork, Unity, and Virtual Assist.
Industry insights you won’t delete. Delivered to your inbox weekly.