This article was written by Cheng Lim and Rebecca Searle.
New prudential standard – CPS 234
On 7 March 2018 APRA proposed draft Prudential Standard CPS 234 Information Security (CPS 234) and a discussion paper: 'Information security management: a new cross industry prudential standard' for industry consultation.
CPS 234 is the first prudential standard to address information and cyber security. It aims to reinforce the security of Australia's finance industry by setting minimum standards for financial service institutions to manage information security and guard against cyber-attacks. CPS 234 shows an increased expectation for entities to secure themselves against attacks, and improve their processes to quickly detect and respond to attacks.
Currently, information security risk management is dealt with by APRA under Prudential Practice Guide CPG 234 Management of security risk in information and information technology and broader risk management prudential standards. CPS 234 builds on the same guidance, but is backed with the force of law.
Purpose of CPS 234
Australians entrust valuable data to APRA-regulated entities, and especially financial institutions, who have fast become major targets of cyber criminals looking for money or customer data. Cyber surveys conducted by APRA have demonstrated that information security attacks are increasing in frequency, sophistication and impact, however the finance industry has weaknesses in security management practices. In an address to the Insurance Council of Australia Annual Forum, APRA executive board member Geoff Summerhayes stated that a significant cyber breach of an Australian financial institution is "probably inevitable". A data breach could lead to serious reputational harm, damage to business and harm to individuals whose information is compromised.
Because of the growing threat and continuously evolving nature of cyber-attacks, APRA wishes to strengthen the ability of entities to repel cyber criminals, and respond efficiently and effectively when a cyber breach does occur. Although the finance industry generally manages cyber security competently, Summerhayes stressed that "complacency is not an option," and CPS 234 will assure legally binding minimum standards of cyber safety across all sectors. APRA considers that, on balance, CPS 234 will strengthen the resilience of the Australian regulatory financial framework, improve financial safety and promote financial system stability.
Who will CPS 234 apply to?
CPS 234 will apply to authorised deposit taking institutions (ADI), general insurers, life insurers, private health insurers, licensees of registrable superannuation entities and authorised or registered non-operating holding companies. APRA is seeking industry feedback on potential group application of CPS 234, whereby an APRA-regulated entity that is the head of a group must comply with the standard, and risk management requirements must be applied appropriately throughout the group (including to entities that are not APRA-regulated).
What will CPS 234 require?
APRA-regulated entities will be required to monitor their cyber defences and protection systems, have robust systems in place to detect cyber threats and attacks, and allocate responsibility for cyber security to staff members. The board of an entity has ultimate responsibility for upholding information security management commensurate with its exposures to vulnerabilities and threats.
Specifically, CPS 234 proposes the following requirements:
- Allocate responsibilities – entities must clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals. This aims to ensure that all functions necessary to manage information security are specified and designated to personnel, allowing the board to stipulate the degree of engagement it wishes to have. An ADI will need to have regard to the recently enacted Banking Executive Accountability Regime legislation, which requires an ADI to nominate a senior executive with responsibility for information management, including information technology systems.
- Appropriate information safety – entities must maintain an information security capability that is commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity. Entities should classify information assets by criticality and sensitivity (relating to the degree to which an incident affecting that information has the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers).
- Controls and testing – entities must implement information security controls to protect information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls. Security controls should correspond to the criticality and sensitivity assessment of the asset. Testing of controls (including testing of controls of third parties who manage an entity's information assets) should be orderly, structured and comprehensive, commensurate with the entity's exposures to vulnerabilities and threats. Where testing identifies deficiencies that cannot be remediated in a timely manner, results should be reported to the board or senior management. CPS 234 also proposes internal audit requirements specific to information security.
- Response processes – entities must have robust mechanisms in place to detect and respond to information security incidents in a timely manner. APRA has adopted the position that entities are likely to experience cyber security breaches at some point. Therefore APRA has a specific focus on improving entities' abilities to respond to and recover from cyber incidents, noting that response plans in place at the moment are often untested and are not incorporated into disaster recovery plans. Incident management plans should manage all stages of an incident, from detection to post-incident review, and should detail reporting of information to the board and to individuals responsible for relevant functions.
- Notification – entities must notify APRA within 24 hours of experiencing an information security incident that materially affects, or has the potential to materially affect, the entity or interests of depositors, policyholders or other customers. This notification will be independent of (and additional to) the entity's obligation to notify of serious data breaches under the Privacy Act 1988 (Cth). APRA also proposes that entities notify it within 5 business days of identifying material internal control weaknesses that the entity is not able to remediate in a timely manner.
APRA has expressed concern regarding the security capabilities of third parties such as service providers. In this regard, outsourcing arrangements should be subject to appropriate due diligence, approval and ongoing monitoring of information security capabilities of outsourcing providers, commensurate with the potential consequences of an information breach. Internal audits should also assess the third party controls over assets.
Specifically relevant to private health insurers, the proposals set out in CPS 234 and the discussion paper form part of the first phase of the private health insurance prudential policy roadmap, which involves a review of operational risk.
Mr Summerhayes noted that APRA will consider requesting formal independent audits in the future to assess compliance with, and provide guidance on, CPS 234.
Submissions on CPS 234 are open until 7 June 2018, and APRA has a view to implement the new standard from 1 July 2019.
CPS 234 forms part of a broader APRA project to update the prudential framework in respect of the management of operational risk across all APRA-regulated industries. APRA intends to consult on broader operational risk requirements later in 2018.