The Australian Prudential Regulation Authority (APRA) has released the final version of its prudential standard focused on information security management.
The new Prudential Standard CPS 234 Information Security will shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks), and their ability to respond swiftly and effectively in the event of a breach.
CPS 234 requires APRA-regulated entities to:
- clearly define information-security related roles and responsibilities;
- maintain an information security capability commensurate with the size and extent of threats to their information assets;
- implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
- promptly notify APRA of material information security incidents.
APRA first released a discussion paper in March outlining the intended requirements of the new prudential standard. Following extensive consultation with industry, APRA today published a Response to Submissions paper outlining the final form of the standard.
Industry was supportive of the intent and direction of CPS 234, however, APRA agreed to make several amendments including clarifying requirements for information assets managed by third parties, and modifying the timeframes for notifying APRA of information security incidents and material information security control weaknesses.
APRA Executive Board Member Geoff Summerhayes said cyber adversaries were targeting Australian financial services companies with growing frequency and sophistication.
“A significant information security breach at an APRA-regulated entity is almost certainly a question of when – not if. In a worst-case scenario, a major breach could even force a company out of business. As a result, APRA is fast-tracking implementation of this standard, and expects all regulated entities to meet its requirements by 1 July next year,”
Mr Summerhayes said.
“By introducing CPS 234, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face.”
To help entities fulfil their requirements, APRA will shortly update Prudential Practice Guide CPG 234 Management of Information and Information Technology.
Copies of the Response Paper and the new prudential standard are available on APRA’s website at: https://www.apra.gov.au/information-security-requirements-all-apra-regulated-entities.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding $6.5 trillion in assets for Australian depositors, policyholders and superannuation fund members.