APRA has released a package of measures, titled Information Security Management: A new cross-industry prudential standard, for industry consultation. The package is aimed at improving the ability of APRA-regulated entities to repel cyber adversaries, or respond swiftly and effectively in the event of a breach. It enforces the guidance in CPG 234 and complements the requirements laid out in CPS 220, APRA’s cross-industry prudential standard on risk management..
The proposed new standard, CPS 234, would require regulated entities to:
- clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
- maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity;
- implement information security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls;
- have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and
- notify APRA of material information security incidents.
The draft standard also includes assurance over the cyber capabilities of third parties such as service providers.
In a speech APRA Executive Board Member Geoff Summerhayes observed that Australian financial institutions are among the top global targets for cyber criminals.
He said that “APRA views cyber risk as an increasingly serious prudential threat to Australian financial institutions. To put it bluntly, it is easy to envisage a scenario in which a cyber breach could potentially damage an entity so badly that it is forced out of business. I should state that we consider the chances of such an outcome to be remote, especially for larger entities that invest millions of dollars each year in reinforcing their cyber capabilities. But it is no longer beyond the realms of possibility.”
APRA is concerned that basic cyber hygiene including timely patching against known vulnerabilities and access management is being forgotten.
APRA recommends all entities adopt an ‘assumed breach’ posture; in other words, they should presume that, at some point, their organisation will experience a significant cyber security incident.
APRA says that a significant cyber incident on an APRA-regulated entity is probably inevitable.
One area of cyber security that APRA and its international peers are watching closely is algorithm risk.