APRA to introduce first prudential standard aimed at tackling growing threat of cyber attacks

The Australian Prudential Regulation Authority (APRA) has responded to the growing threat of cyber attacks by proposing its first prudential standard on information security.

APRA today released a package of measures, titled Information Security Management: A new cross-industry prudential standard, for industry consultation. The package is aimed at shoring up the ability of APRA-regulated entities to repel cyber adversaries, or respond swiftly and effectively in the event of a breach.

The proposed new standard, CPS 234, would require regulated entities to:

• clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
• maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity;
• implement information security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls;
• have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and
• notify APRA of material information security incidents.

Executive Board Member Geoff Summerhayes said the draft standard built on prudential guidance first released by APRA in 2010 and backed it with the force of law.

"Australian financial institutions are among the top targets of cyber criminals seeking money or customer data, and the threat is accelerating," Mr Summerhayes said.

"No APRA-regulated entity has experienced a material loss due to a cyber incident, but a significant breach is probably inevitable. In a worst-case scenario, a cyber attack could even force a company out of business."

Key areas where APRA is hoping to lift standards include assurance over the cyber capabilities of third parties such as service providers, and enhancing entities’ ability to respond to and recover from cyber incidents.

"Cyber security is generally well-handled across the financial sector, but with criminals constantly refining and expanding their tools and capabilities, complacency is not an option," Mr Summerhayes said.

"Implementing legally binding minimum standards on information security is aimed at increasing the safety of the data Australians entrust to their financial institutions and enhance overall system stability."

Submissions on the package are open until 7 June. APRA intends to finalise the proposed standard towards the end of the year, with a view to implementing CPS 234 from 1 July next year.

Copies of the consultation package are available on APRA’s website at: Information security requirements for all APRA-regulated entities

The findings of APRA’s latest cybersecurity survey can be found in the December 2017 issue of Insight.