Skip to main content
Media Releases

APRA consults on updated guidance for managing information security risks

The Australian Prudential Regulation Authority (APRA) has released for consultation updated guidance on protecting against the rise in information security risks, including cyber-crime.

APRA is seeking feedback on the proposed cross-industry Prudential Practice Guide 234 Information Security (CPG 234), which will replace the existing CPG 234 Management of Security Risk in Information and Information Technology.

The updated CPG 234 has been developed to help industry embed APRA’s new cross-industry prudential standard on information security, CPS 234, which comes into effect from 1 July this year. It also provides guidance on addressing several common information security weaknesses that APRA has observed through its regular supervisory activities.

The guide is aimed at boards and senior management, as well as risk and information technology experts within regulated entities. It outlines how entities can maintain information security capabilities commensurate with the size and complexity of their business and the sensitivity of the data they possess. It also explains how entities can optimise their resilience when aspects of their information security are managed by third parties.

APRA Executive Board Member Geoff Summerhayes said much had changed in the information security landscape since APRA last updated its prudential guidance in 2013.

“Australia’s banks, insurers and superannuation funds are major targets of cyber-crime, and the risk is accelerating as attackers gain in skill and technological sophistication. Unfortunately, it is only a matter of time until a significant cyber breach occurs at an Australian financial institution,” Mr Summerhayes said.

“Due to the urgency of the threat, APRA fast-tracked the implementation of CPS 234. This updated guide will assist industry to implement the requirements of the standard, recognising that not every entity has the same resources or expertise. The guide remains principles-based, but is sufficiently prescriptive to help those entities that want more specific direction on meeting their obligations.”

After an eight-week consultation, APRA will review industry feedback before releasing the final version of CPG 234 prior to CPS 234 coming into force on 1 July.

The consultation package is available on the APRA website at: https://www.apra.gov.au/information-security-requirements-all-apra-regulated-entities.

Consultation

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.