APRA’s new information security standard commences 1 July 2019.
Background
Australian Prudential Regulation Authority’s (‘APRA’) new mandatory Prudential Standard CPS 234 on Information Security (‘Standard’) comes into effect on 1 July 2019. The Standard has been drafted with the purpose of tackling the rise in information security threats.
Overview of the Standard
The new Standard sets out information security requirements for APRA-regulated entities, including ADIs, general insurers, life companies, private health insurers and registrable superannuation entities. The new Standard includes a notification system where APRA-regulated entities must notify APRA as soon as possible and in any case within 72 hours of becoming aware of a material information security incident, and as soon as possible and in any case within 10 business days after becoming aware of a material information security control weakness, which the entity expects it will not be able to remediate in a timely manner. Key requirements of the Standard are as follows.
Requirement | Summary |
Roles and responsibilities | The APRA-regulated entity’s Board is ultimately responsible for information security and must ensure that information security is maintained to a level proportionate to the severity of security threats and to enable continued sound operation. |
Information security capability | The entity must maintain an information security capability that reflects the nature of security threats. Where information assets are managed by a related party or third party, the entity must assess the capability against potential consequences of security incidents affecting those assets. |
Policy framework | The entity must maintain an information security policy. |
Implementation of controls | The entity must implement information security controls that appropriately identify: threats to security; criticality and sensitivity of information assets; the life-cycle of information assets; and any consequences of security incidents. |
Incident management | The entity must have robust mechanisms to detect and respond to information security incidents in a timely manner and must review and test the effectiveness of security response plans once a year. |
Testing control effectiveness | The entity must test information security controls. Where the entity’s information assets are managed by a related party or third party and the entity relies on that party for testing, the entity must assess the nature and frequency of that testing. The entity must review its testing program annually and when there is a material change to information assets or business environment. |
Internal audit | The entity’s internal audit must incorporate a review of the design and operating effectiveness of information security controls, including those of relevant related parties/third parties. The entity must assess the information security control assurance provided by a related party or third party where a security incident affecting the assets has the potential to have a material effect and the entity intends to rely on that party’s assurance. |
APRA notification | The entity must notify APRA of a material security incident (i.e. an incident that materially affected or had the potential to affect the entity or depositors, policyholders, beneficiaries or other customers) as soon as possible and no later than 72 hours after becoming aware of the incident, and as soon as possible and in any case within 10 business days after becoming aware of a material information security control weakness, which the entity expects it will not be able to remediate in a timely manner. |
Draft Prudential Practice Guide
The CPG 234 Draft Prudential Practice Guide (‘Guide’) was released in March 2019 and until May 2019 was subject to consultation by bodies such as the Australian Banking Association. The final Guide will be made available to the public on the APRA website. The Guide outlines a list of considerations for company boards and details techniques to assist entities in meeting the requirements under the new Standard, such as cryptography, network segmentation, restrictive segregated access controls and network traffic flow restrictions.
Key takeaways
- The board of APRA-regulated entities is ultimately responsible for managing information security protocols and compliance under the Standard;
- APRA-regulated entities will be required to notify material security incidents and certain material control weaknesses to APRA within strict time frames; and
- APRA-regulated entities must have systems and controls in place to comply with the Standard from 1 July 2019 including information security controls, incident management processes, testing and internal audits.
This article was written by Yuban Moodley, Partner and Courtney David, Law Graduate.
P: + 61 7 3169 4936
E: ymoodley@hwle.com.au