If an APRA regulated institution becomes aware that it has breached (or will breach) a prudential requirement, it must give APRA a written report about the breach within the required time.
Often that breach also relates to other obligations administered by other regulators including ASIC and the Privacy Commissioner.
While APRA has an agreement with ASIC that breach notifications made to APRA’s online breach reporting system that relates to a breach which is reportable under section 912D(1B) of the Corporations Act are received by APRA as agent for ASIC, ASIC has no similar agreement with the Privacy Commissioner.
CPS 234 Information Security notifications
Australian Prudential Regulation Authority (APRA) Executive Board member Geoff Summerhayes recently provided an update on industry progress in complying with the requirements of APRA’s first information security prudential standard, CPS 234 Information Security, which came into effect on 1 July 2019.
He said that in the four months since CPS 234 came into force, APRA has received 36 incident notifications. Many of those were data breaches involving the disclosure of personal information as a result of human error (such as “accidental’ disclosure where an employee emailed a spreadsheet externally which included customer information). Other breaches involved a compromise of staff or customer credentials resulting in the unauthorised manipulation of records, website defacement and fraud.
Under CPS 234, an APRA-regulated entity is required to notify APRA of information security incidents and information security control weaknesses as soon as possible and no later than the timeframes prescribed.
CPS 234 notifications to APRA are to be made electronically using the form available on APRA’s website.
APRA must be notified within 72 hours of becoming aware of an information security incident.
Entities must report material information security control weaknesses to APRA within ten business days.
This timeframe aligns with the separate data breach notification timeframes of the Privacy Commissioner.