19 November 2018

Is your organisation ready for APRA’s new information security measures?

Prudential Standard – CPS 234

This article was written by Patrick Gunning and James McGrath.

On 7 November 2018 APRA released the final version of Prudential Standard CPS 234 Information Security (CPS 234) and a response paper to submissions received during the consultation period titled Response to Submissions - Information security: Cross-industry prudential standard’. The new standard will commence on 1 July 2019.

CPS 234 is the first Australian prudential standard to specifically address information and cyber security, indicating that APRA now considers it sufficiently important to warrant a separate standard backed with the force of law. By developing a distinct prudential standard for information security, APRA has expressed a clear intention to ensure the resilience of Australia’s finance industry and minimise the likelihood and impact of information security incidents.

Unlike a “practice guide”, compliance with a prudential standard is mandatory for entities regulated under the Banking Act 1959 (Cth), Insurance Act 1973 (Cth), Life Insurance Act 1973 (Cth), Private Health Insurance (Prudential Supervision) Act 2015 (Cth) and Superannuation Industry (Supervision) Act 1993 (Cth).

We previously summarised the draft CPS 234 and set out the background and purpose of CPS 234. Read more about the draft prudential standard here.

Recent updates

Since the draft prudential standard was released on 7 March 2018, APRA received 39 “generally supportive” submissions. However, the final version released last week contained some key amendments, including:

Notification  

In response to concerns in relation to onerous and unachievable timeframes for notifying APRA of information security incidents, CPS 234 allows regulated entities a period of up to 72 hours to notify APRA after becoming aware of an information security incident (previously this was 24 hours after experiencing an information security incident). The extended timeframe aligns the Australian regime with breach notification timeframes under the EU General Data Protection Regulation (GDPR). Further, regulated entities will benefit from a period of ten business days to notify APRA after it becomes aware of a material information security control weaknesses which it expects it will not be able to remediate in a timely manner (previously this was five business days).

Third party arrangements

APRA’s stated intention is to subject all information assets to the same level of requirements, regardless of whether a regulated entity’s information assets are managed internally or by a third party. CPS 234 now expressly applies to all information assets managed by related parties and third parties, not only those captured under agreements with service providers of outsourced material business activities. This includes all “downstream providers” in the supply chain (ie subcontractors and sub-subcontractors etc).

Transitional arrangements

To enable regulated entities with information assets managed by third parties (such as outsourcing contracts) to review, renegotiate and amend those agreements, a transitional period has been introduced. Those will have until earlier of the next renewal date of the contract with the third party (which occurs on or after 1 July 2019) or 1 July 2020 to ensure that the information assets are managed in accordance with CPS 234. 

Checklist of requirements

Authorised deposit taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities and authorised or registered non-operating holding companies will be subject to CPS 234.

Obligations on entities under CPS 234 include:

Allocating responsibilities

Clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals.

Creating a policy framework 

Maintain an information security policy framework which provides direction on the responsibilities of parties and is commensurate with the entity’s exposures to vulnerabilities and threats.

Assigning board responsibility 

The board is ultimately responsible for information security and must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets and which enables the continued sound operation of the entity. 

Commencing third party assessment

Assess the information security capability of related parties or third parties managing information assets, commensurate with the potential consequences of an information security incident affecting those assets.

Classifying information 

Implement robust mechanisms to detect and respond to information security incidents in a timely manner, including all relevant stages of an incident and escalation and reporting of information security incidents.

Reviewing incident management plans 

Review and test information security response plans to ensure they remain effective and fit-for-purpose.

 Auditing
Review the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
Notifying APRA
 Notify APRA:
  • as soon as possible (and no later than 72 hours) after becoming aware of an information security incident;
  • as soon as possible (and no later than 10 business days) after becoming aware of a material information security control weakness which is expected to not be able to be remediated in a timely manner.

What’s next?

CPS 234 commences on 1 July 2019, subject to the transitional arrangements.  

In the near future, APRA will also undertake consultation on an updated cross-industry prudential practice guide on information security, which will replace the current Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology.



Key contacts

Share on LinkedIn Share on Facebook Share on Twitter Share on Google+
    You might also be interested in

    Changes to the first reporting day for portfolio holdings disclosure has given many superannuation trustees some respite, but uncertainty about required disclosures remains.

    19 November 2019

    Changes to the first reporting day for portfolio holdings disclosure has given many superannuation trustees some respite, but uncertainty about required disclosures remains.

    18 November 2019

    On 9 October 2019, the Australian Securities Exchange (“ASX”) released the final version of its listing rules reforms. Nearly all of these changes are expected to come into effect on 1 December 2019...

    14 October 2019

    On 18 September the Federal Government reintroduced Treasury Laws Amendment (Prohibiting Energy Market Misconduct) Bill 2019 into Parliament.

    20 September 2019

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.