Data breach - Frequently asked questions
APRA is working in close collaboration with the Federal Government, peer regulators and other relevant bodies to facilitate closer coordination and a controlled process of data sharing between Optus and APRA-regulated entities. This move follows the Federal Government's changes to the Telecommunications Regulations 2021, which is intended to provide greater protection to Australians following the recent Optus data breach.
- Any data shared can only be used for the purposes of implementing enhanced monitoring and safeguards for customers affected by the data breach.
- All APRA-regulated financial institutions, excluding branches of foreign banks, would be eligible to receive the data should they choose to.
- To opt in, entities will be required to provide written attestation to APRA Prudential Standard CPS 234 Information Security, in the context of accessing data from Optus associated with the recent breach.
- Entities will also need to provide written commitments to ACCC that they will comply with Privacy Act obligations.
- APRA, ACCC and relevant bodies are working closely to coordinate required steps.
- Once an entity has complied with these requests, it would work with Optus to facilitate access to the data.
These FAQs provide further detail for financial services entities on the APRA-related process involved; they will be updated as the initiative progresses.
Updated: 6 October 2022
1. Who can access the Optus data?
APRA-regulated entities, excluding branches of foreign banks, may choose to opt in to receive the data. The process includes the step that financial services entities provide written attestation to APRA that the data will be managed in accordance with Prudential Standard CPS 234 Information Security.
2. What is required for the CPS 234 attestation to APRA?
The entity is required to meet, on an ongoing basis, the principles and requirements of Prudential Standard CPS 234 Information Security, in relation to the data it receives from Optus.
Entities must provide written attestation, as per wording given below.
An authorised officer of the entity (e.g a BEAR-authorised representative at a bank) needs to submit a signed attestation as follows:
[Entity name] attests the following statements are true and correct:
- the information that is being acquired from Optus will be used for the sole purpose of taking steps to protect customers from fraud or theft; and
- the information will be stored, managed and used in accordance with the principles and requirements of Prudential Standard CPS 234 Information Security, with appropriate information security controls relevant to protecting the information established.
This must be submitted to firstname.lastname@example.org.