The Australian Prudential Regulation Authority (APRA) has released the final version of Prudential Standard CPS 234 Information Security (CPS 234).

The information security requirements are designed to ensure APRA-regulated entities have in place appropriate information security capabilities to be resilient against information security incidents.

The new standard will apply to all authorised deposit-taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities and authorised non-operating holding companies.

APRA has confirmed that ensuring the information security of all information assets remains the responsibility of the regulated entity and that the Board is ultimately responsible for the information security of the regulated entity.

APRA expects regulated entities to ensure the security of customer data, including, for example, borrower data.

Commencement

The new CPS 234 will commence on 1 July 2019. Where information assets are managed by third party service providers regulated entities will have until the earlier of the next contract renewal date or 1 July 2020 to ensure such arrangements comply with the prudential standard.

Obligations

CPS 234 requires APRA-regulated entities to:
• clearly define information-security related roles and responsibilities;
• maintain an information security capability commensurate with the size and extent of threats to their information assets;
• implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
• promptly notify APRA of material information security incidents.

Classification of information assets

CPS 234 makes clear that a regulated entity must classify all of its information assets by both criticality and sensitivity; this applies irrespective of whether the regulated entity manages the information assets itself, or the information assets are managed by a third party or related party.

Information assets that might on the face of it be considered ’immaterial’, can provide the mechanism by which an attacker could compromise information assets with higher levels of criticality or sensitivity.

Notification to APRA of an information security incident

APRA must be notified within 72 hours of becoming aware of an information security incident . This will provide regulated entities with appropriate time to properly assess an information security incident and determine how to deal with the issue. This timeframe also aligns with the breach notification timeframes of other regulators.

Entities must report material information security control weaknesses to APRA within ten business days.  APRA is of the view that it should be made aware of control weaknesses that are not expected to be remediated in a timely manner as this could be indicative of broader issues with a regulated entity’s information security capability. For example, where control assessment activities (e.g. internal audit, disaster recovery testing, penetration testing) identify that a number of key controls are either ineffective or not present.

Other relevant APRA standards include:

CPS 231 “Outsourcing”: risk management of outsourcing arrangements for material business activities.
CPS 232 Business Continuity Management
CPG 234 “Management of Security Risk in Information and Technology”: safeguarding IT assets.
APRA “Outsourcing involving Cloud Computing Services”: using cloud services for material business activities.
CPS 220 Risk Management and SPS 220 Risk Management
CPG 235 Managing Data Risk.