New cyber and information security obligations for APRA-regulated entities: Prudential Standard CPS 234 Information Security

In November 2018, the Australian Prudential Regulation Authority (APRA) released the final version of Prudential Standard CPS 234 Information Security (CPS 234), which established new cross-industry requirements for the management of information security and notification of information security incidents1. APRA expects affected organisations to comply with the new requirements by 1 July 2019.

CPS 234 was implemented to reduce the likelihood of and minimise the negative consequences of information security incidents1. Fundamentally, its aim is to preserve the confidentiality, integrity, and availability of information assets, the latter of which is defined by CPS 234 to include software, hardware, and data.

CPS 234 outlines four key requirements. It states that an APRA-regulated entity must: 

  1. clearly define the information security-related responsibilities and roles of the Board, senior management, governing bodies, and individuals;
  2. maintain an information security capability which corresponds with the size and extent of threats to its information assets;2
  3. implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
  4. notify APRA of material information security incidents.

Is your organisation affected?

CPS 234 applies to all ‘APRA-regulated entities’ (Entities), which include:

  1. authorised deposit-taking institutions, such as Australian-owned and foreign banks, building societies, credit unions, and non-operating holding companies under the Banking Act 1959 (Cth).
  2. general insurers, which are regulated in accordance with the Insurance Act 1973 (Cth).
  3. life companies, which includes companies engaging in life insurance businesses regulated by the Life Insurance Act 1995 (Cth), friendly societies, eligible foreign companies, and non-operating holding companies regulated under the Life Insurance Act 1995 (Cth).
  4. private health insurers, registered under the Private Health Insurance (Prudential Supervision) Act 2015 (Cth).
  5. regulated superannuation entities, including regulated superannuation funds, an approved deposit fund, or a pooled superannuation trust.

Who in an entity is responsible?

CPS 234 provides that the board of an Entity (Board) is ultimately responsible for the management of information security. The Entity must, however, clearly define information security roles and responsibilities, including for senior management, governing bodies, and individuals.

APRA notification

CPS 234 creates two new reporting obligations for Entities.

  1. APRA must be notified, as soon as possible, and no later than 72 hours, after the Entity becomes aware of an information security incident, whether the incident has already materially affected or has the potential to materially affect, the Entity and its stakeholders. Additionally, an Entity also has an obligation to notify APRA of breaches that have already been notified to other regulators, such as breaches notified under other prudential standards.
  2. APRA must be notified, as soon as possible, and no later than 10 business days, after the Entity becomes aware of a material weakness in the security controls of the Entity, and which the Entity expects it will not be able to remediate in a timely manner.

General obligations
  1. Obligations to maintain capability
    An Entity must manage its resources, skills, and controls, which provide the ability and capacity to appropriately manage information security and enable the continued sound operation of the Entity. Such capabilities should be considered in light of changes in vulnerabilities, threats, or the business environment.

  2. Obligations to maintain policies
    An Entity must put into place an information security policy which provides direction on the responsibilities of all individuals and parties who have an obligation to maintain information security. 

  3. Obligations to identify and classify information assets
    CPS 234 also sets new requirements for Entities to classify information assets according to criticality and sensitivity. The purpose of the classification is to gauge the likelihood of that asset to affect, financially or non-financially, the Entity, or the interests of stakeholders. 

  4. Obligations to implement security controls and test control effectiveness
    Entities under CPS 234 have an obligation to implement information security controls to protect its information assets. This includes having robust mechanisms to respond to information security incidents in a timely manner, that is, it must have an incident management response plan. Entities must also carry out an internal audit of the effectiveness of its information security controls. 

    Entities must test, at least annually, the effectiveness of its information security response plans and the sufficiency of its testing program, or run a test, when there is a material change to information assets or the business environment.

Moving forward

CPS234 is a result of the increasing focus of information security by APRA, the consideration of the results of a discussion and response paper, and a recognition of the increasing importance of cyber and information incidents. Entities should prepare to comply with the new CPS 234 and be cognisant of any developments in this area.

------------------------------------------------------

[1] Information security incidents refers to actual or potential compromises of information security.

[2] Information security capability refers to the resources, skills, and controls which provide the ability to maintain information security.