Skip to content

APRA’s information security requirements: is your organisation prepared?

23rd October 2019

With one in 10 Australian businesses reporting an internet security incident breach1, effective management of increasingly prevalent and sophisticated attacks on information is critical. Australian regulators have also begun tightening data management, cyber resilience and information security requirements with APRA’s standard CPS 234.

The new standard, which came into force on 1 July 2019, clarifies steps organisations need to take regarding board oversight, information security controls and notification of information security incidents. For those organisations whose information assets are managed by third and related parties, the new APRA obligations will begin from 1 July 2020 (or the date on which the relevant third or related party arrangement is renewed or materially updated).

Establishing a clear information security framework

To be ready for 1 July 2020, regulated entities such as authorised deposit-taking institutions (ADIs), superannuation funds and health insurers (that rely heavily on external providers for information management), need to start establishing an appropriate framework now.

‘Assessing and reviewing the adequacy of the information management service provider is an essential first step in establishing a new or updated framework,’ says Daniel Muchow, Head of Cyber Security at RiskLogic. ‘The framework must also show clear ownership and accountability for information security tasks and functions, clearly define escalation paths and thresholds, and establish compensation measures.’

Detecting and responding to information security incidents

Under CPS 234, the APRA entity must also have robust mechanisms and plans to detect and respond to potential information security incidents. ‘Organisations need to be prepared for a worst-case scenario. Even the most rigorous control testing or the most sophisticated encryption protocol can be subject to attack with potential loss of information,’ says Mr Muchow.

CPS 234 applies to all information assets, not just personal information or data. This includes software, hardware and hard and soft copies of data regardless of materiality. ‘Even if an organisation considers an asset immaterial, a cyber attacker could use this asset to compromise assets with higher levels of criticality and sensitivity,’ confirms Mr Muchow.

Notifying APRA

Under CPS 234, all APRA-regulated entities must notify APRA of any information security control weakness or information security incident:

  • that is material, or
  • has been notified to any other Australian or foreign regulator.

This is required even where information assets are being managed by a third party.

The APRA regulated entity must notify an information security incident to APRA within 72 hours after the APRA entity becomes aware of the relevant incident or vulnerability. This reporting obligation reinforces the importance of rigorous protocols when working with third parties to ensure information security incidents are communicated to the contracting organisation in a timely way.

Following the Financial Services Royal Commission of 2018, we anticipate that APRA will rigorously enforce the new standard. Organisations using third party providers will need to be particularly vigilant to ensure there is a clear framework to enable compliance with APRA’s new standard.

For help protecting your information under APRA’s CPS 234, contact RiskLogic on 1300 731 138 today.

Visit the APRA website for more information on CPS 234.

Learn more