Latest Products

Information security prudential standard

Monday 12 March 2018

The Australian Prudential Regulatory Authority (APRA) has released the first cross-industry consultation draft for a prudential standard in information security management.

The draft is titled CPS 234 Information Security Management: A new cross-industry prudential standard. It was released last Thursday.

"Australian financial institutions are among the top targets of cyber criminals seeking money or customer data, and the threat is accelerating," APRA Executive Board member, Geoff Summerhayes, said.

This prudential standard comes just weeks after the release of the Notifiable Data Breach (NDB) Scheme, which came in into effect on 22 February.

Cyber risk and information security is also something the Australian Securities and Investment Commission (ASIC) is considering when looking at the cyber resilience of companies.

Two key elements that need to be taken into account when considering CPS234: firstly, that boards will ultimately be held responsible for information security; and secondly, ADIs, which must comply with the Banking Executive and Accountability Regime (the BEAR), will have to nominate a senior executive to be held responsible for information management and information technology systems.

Submissions to this consultation will remain open until 7 June of this year. After this, the prudential regulator intends to finalise the standard, to be released on 1 July 2019.

This standard will apply to:

  • Authorised-Deposit taking Institutions (ADIs);
  • General insurers, and private health insurers;
  • Licensees of registrable superannuation entities (RSE); and
  • Authorised or non-operating holding companies.
Risk management & information risk
Prior to this, the prudential regulator really only dealt with information security through the Prudential Standard CPS 220 Risk Management and the SPS 220 in Risk Management.

According to the discussion paper, the CPS 234 is meant to be a part of the broader CPS/SPS 220 risk management framework but it does not ‘explicitly’ link to those risk management principles.

“Also, the notion of ‘vulnerabilities and threats’ is used in place of ‘risk’ to reflect the nature of information security,” said Summerhayes.

The new draft will also cover area roles and responsibilities, businesses’ information security capabilities, information assets and the controls surrounding these, testing and internal auditing, and notifications back to APRA.

According to the draft consultation paper:

APRA action to date has included the introduction of Prudential Practice Guide CPG 234 Management of security risk in information and information technology (CPG 234), increased on-site supervision and an increased expectation for entities to secure themselves against information security attacks and implement improved mechanisms to quickly detect and respond to attacks when they occur. The introduction of a new cross-industry information security prudential standard addresses the need to establish minimum standards across all industries.
Summerhayes added that, “Implementing legally-binding minimum standards on information security is aimed at increasing the safety of the data Australians entrust to their financial institutions, and enhances overall system stability."