The Australian Prudential Regulation Authority (APRA) has been front page news for all the wrong reasons after an independent review has slammed the regulator. The capability review into APRA was initiated as a result of a recommendation from the ‘Hayne Royal Commission’ final report released in February. Of note was the recommendation 3.5: that…
APRA should seek to build strong allegiances with public and private sector experts, other regulators and financial firms to augment its internal capacity and to collaborate on ways to strengthen the cyber resilience of APRA’s regulated sectors
In response it has supported this recommendation as “APRA has identified cyber and technology as priority areas for focus across all APRA-regulated industries, and is developing a cyber and technology strategy that includes building strong allegiances with public and private sector experts.” It has updated the ‘Prudential Standard CPS 234, Information Security’.
Prudential standard CPS 234 requires an APRA regulated entity to demonstrate the maintenance of an information security capability that places ultimate responsibility for information security with the Board.
CPS 234 will also include the entity’s extended business environment, including third parties which manage its information assets. Specific requirements include:
CPS 234 has raised the importance of cyber risk as having moved from an IT risk problem to an all of business risk problem.
This mandatory regulation dictates APRA-regulated entities to make cyber security a necessity and to become resilient against information security incidents (including cyber-attacks). The revised regulation has come into effect on 1 July 2019.
Clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals.
An entity must actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment.
Maintain an information security policy framework which provides direction on the responsibilities of parties and is commensurate with the entity’s exposures to vulnerabilities and threats.
Implement robust mechanisms to detect and respond to information security incidents in a timely manner, including all relevant stages of an incident and escalation and reporting of information security incidents.
Information security controls must be in place to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with the following;
Review and test information security response plans to ensure they remain effective and fit-for-purpose.
The effectiveness of its information security controls must be tested through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with:
Auditing Review the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
Notify APRA as soon as possible (and no later than 72 hours) after becoming aware of an information security incident; as soon as possible (and no later than 10 business days) after becoming aware of a material information security control weakness which is expected to not be able to be remediated in a timely manner.
CPS 234 has commenced on 1 July 2019 and is subject to transitional arrangements. Exigence can help your organization meet their CPS 234 compliance obligations including;