The Australian Prudential Regulation Authority (APRA) has released updated prudential guidance to all APRA-regulated entities on managing information security risks, including cyber-crime.
Prudential Practice Guide CPG 234 Information Security
replaces CPG 234 Management of Security Risk in Information and Information Technology
. The updated guide will assist regulated entities to embed and comply with the requirements of APRA’s new cross-industry prudential standard, CPS 234 Information Security
, which comes into force on 1 July.
As well as releasing the final prudential practice guide, APRA has published a letter to industry responding to submissions on the draft CPG 234 released for consultation in March
. In the letter, APRA re-emphasised the need to maintain appropriate oversight of all third parties that manage information security on an entity’s behalf, including entities subject to existing regulatory oversight and service providers engaged by third party entities.
APRA Executive Board Member Geoff Summerhayes said: “Cyber-adversaries are targeting Australia’s banks, insurers and superannuation licensees with growing frequency and sophistication.
“The new standard and accompanying prudential practice guide will reinforce industry’s ability to withstand these information security threats, and respond effectively when breaches occur. It is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we’ve seen overseas, so they must be prepared.
“Although many institutions are well advanced, we recognise that the new requirements materially raise the bar across the entire industry and will take time to be fully effective. We expect to see continuous improvement. If an entity assesses that it may not be able to fully comply with the new standard from 1 July, it should immediately advise its APRA supervisor,” Mr Summerhayes said.
The new CPG 234 Information Security and APRA’s letter to industry are available on APRA’s website here