APRA releases updated guidance on information security

Iby Boztepe

The Australian Prudential Regulation Authority (APRA) has been front page news for all the wrong reasons after an independent review has slammed the regulator. The capability review into APRA was initiated as a result of a recommendation from the ‘Hayne Royal Commission’ final report released in February. Of note was the recommendation 3.5: that…

APRA should seek to build strong allegiances with public and private sector experts, other regulators and financial firms to augment its internal capacity and to collaborate on ways to strengthen the cyber resilience of APRA’s regulated sectors

In response it has supported this recommendation as “APRA has identified cyber and technology as priority areas for focus across all APRA-regulated industries, and is developing a cyber and technology strategy that includes building strong allegiances with public and private sector experts.”  It has updated the ‘Prudential Standard CPS 234, Information Security’.

What is APRA CPS 234?

Prudential standard CPS 234 requires an APRA regulated entity to demonstrate the maintenance of an information security capability that places ultimate responsibility for information security with the Board.

CPS 234 will also include the entity’s extended business environment, including third parties which manage its information assets. Specific requirements include:

  • Clear definitions of information security-related roles and responsibilities
  • Implementation of controls across the extended business environment, which are commensurate with the criticality of assets and the threat.
  • Systematic testing and assurance of controls effectiveness.

CPS 234 has raised the importance of cyber risk as having moved from an IT risk problem to an all of business risk problem. 

This mandatory regulation dictates APRA-regulated entities to make cyber security a necessity and to become resilient against information security incidents (including cyber-attacks). The revised regulation has come into effect on 1 July 2019.  

CPS 234 applies to all APRA-regulated entities which include the following authorised deposit taking institutions:

  • Private Health insurers
  • Superannuation funds
  • General Insurers
  • Non-operating holding companies
  • Life Insurers
  • Registered financial corporations (RFCs)
  • Friendly societies

Obligations on entities under CPS 234 include:

Allocating roles and responsibilities:

Clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals.

Information Security capability:

An entity must actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment.

Policy Framework:

Maintain an information security policy framework which provides direction on the responsibilities of parties and is commensurate with the entity’s exposures to vulnerabilities and threats.

Information asset identification and classification:

Implement robust mechanisms to detect and respond to information security incidents in a timely manner, including all relevant stages of an incident and escalation and reporting of information security incidents.

Implementation of Control:

Information security controls must be in place to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with the following;

  • Vulnerabilities and threats to the information assets
  • The criticality and sensitivity of the information assets
  • The stage at which the information assets are within their life-cycle
  • The potential consequences of an information security incident.

Incident Management:

Review and test information security response plans to ensure they remain effective and fit-for-purpose.

Testing Control effectiveness:

The effectiveness of its information security controls must be tested through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with:

  • The rate at which the vulnerabilities and threats change
  • The criticality and sensitivity of the information asset
  • The consequences of an information security incident
  • The risks associated with exposure to environments where the APRA regulated entity is unable to enforce its information security policies
  • The materiality and frequency of change to information assets.

Internal Audit:

Auditing Review the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.

Notify APRA as soon as possible (and no later than 72 hours) after becoming aware of an information security incident; as soon as possible (and no later than 10 business days) after becoming aware of a material information security control weakness which is expected to not be able to be remediated in a timely manner.

What next?

CPS 234 has commenced on 1 July 2019 and is subject to transitional arrangements. Exigence can help your organization meet their CPS 234 compliance obligations including;

  • Exigence Information Risk Assessment / Cyber Security Review & Data Governance - In today’s ever dynamic world of cyber threats, it is essential that an organization understand where they are in relation to the security of their organization. This is where an Exigence Information Risk Assessment is beneficial.
  • Incident Response Readiness Assessment – The Exigence approach is to first understand all we can about your Enterprise and your industry. Then we methodically inspect and assess the levels of Incident Response Readiness from different viewpoints. Some of our more mature clients only need general guidance to set them on the right path, while others need a plan built from scratch – including an Incident Response Plan, Roadmaps, and Playbooks. An Incident Response Readiness Assessment will provide you and your stakeholders with a clear picture of current capabilities. Importantly, it will identify improvements and provide a roadmap of prioritized objectives.
  • Vulnerability Management – Exigence has many years of experience in protecting enterprise networks through our effective threat and risk management programs. As a result, we can assist with the development of a vulnerability management process through to the selection of appropriate supporting tools.
  • Cloud Security Review – Exigence can assist in navigating the cloud security environment. We can assess your cloud provider for key security elements such as data segmentation, regulatory practices and compliance. We can customize these queries to accommodate known issues based on a wealth of security experience, and tailor this to include your organization’s specific requirements or compliance commitments. Exigence can assess the maturity of your in-place cloud solution to ensure that your cloud provider is performing in line with your expectations.

Contact Exigence to discuss how our specialist services can help your organisation