Go to top of page

Information security requirements for all APRA-regulated entities

APRA is releasing a new prudential standard and updated guidance in relation to information security across all APRA-regulated industries. As technological developments continue to expand, the scope and sophistication of potential malicious activity against financial institutions will increase. The new requirements and guidance will help regulated entities to manage these risks.
 

Consultation on Prudential Practice Guide CPG 234 Information Security  Closed

June 2019

In June 2019, APRA released a response letter on the submissions received on the updated cross-industry Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology, renamed as Prudential Practice Guide CPG 234 Information Security (CPG 234).
 
This response letter details the more substantive matters raised in submissions and APRA’s responses. In addition, APRA has made a number of minor changes to CPG 234 as part of the final review process.
 
The response letter and prudential practice guide can be found below:
 

Response letter

 

Prudential practice guide

 

Non-confidential submissions

We received 5 non-confidential submissions on the updated cross-industry Prudential Practice Guide CPG 234 Information Security:
 


March 2019

In March 2019, APRA released for consultation an updated draft Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology.
 
The updated draft CPG 234, renamed as Prudential Practice Guide CPG 234 Information Security, is designed to assist regulated entities in complying with CPS 234 on an ongoing basis, as well as providing APRA’s observations as to what constitutes good practice in information security. 
 
Written submissions were received until 17 May 2019.
 
The consultation letter and draft prudential practice guide can be found below:
 

Consultation letter

 

Draft prudential practice guide


Consultation on the proposed cross-industry prudential standard CPS 234 Information Security  Closed

November 2018

In November 2018, after having received and addressed a large number of submissions in response to the March consultation on draft CPS 234, APRA released the final version of Prudential Standard CPS 234 Information Security (CPS 234). 
 
These information security requirements are designed to ensure APRA-regulated entities have in place appropriate information security capabilities to be resilient against information security incidents. The new CPS 234 will commence on 1 July 2019.
 
The response letter and Prudential Standard CPS 234 Information Security can be found below:
 

Response letter

 

Prudential standard 

 

March 2018

In March 2018, APRA released for consultation a discussion paper on the introduction of a new cross-industry framework for the management of information security.
 
The proposed requirements are specified in the draft Prudential Standard CPS 234 Information Security (draft CPS 234), which APRA proposes to apply to authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers,  licensees of registrable superannuation entities (RSE licensees) and authorised or registered non-operating holding companies. 
 
Written submission on the proposals set out on this discussion paper were received until 7 June 2018.
 
The discussion paper, draft prudential standard and non-confidential submissions can be found below:
 

Discussion paper

 

Draft prudential standard

 

Non-confidential submissions

We received 17 non-confidential submissions on the proposed prudential standard CPS 234 Information Security:
 

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $6 trillion in assets for Australian depositors, policyholders and superannuation fund members.