Australia: Information security - APRA new Prudential Standard CPS 234

To help address the risk posed from cyber-attacks the Australian Prudential Regulation Authority (APRA) has published a suite of measures to assist APRA-regulated entities minimising the likelihood and impact of cyberattacks and information security incidents.

Cyber-attacks are increasing in frequency and impact with perpetrators of such attack continuously refining their skills to access information, networks and systems world-wide. Those in the financial sector should be especially wary of such attacks, with APRA Executive Board Member Geoff Summerhayes warning that 'Australian financial institutions are among the top targets of cyber criminals seeking money or customer data, and the threat is accelerating'.¹

Boards of directors and Senior Management must be aware of the risks and ensure their company's compliance with APRA's Guidelines in this area as the board of an APRA regulated entity is ultimately responsible for ensuring that the entity maintains its information security.²

WHAT IS APRA'S NEW STANDARD?

APRA's new Prudential Standard CPS 234 is its first prudential standard relating to information security.

The Standard aims to ensure that an APRA-regulated entity takes appropriate measures to withstand and guard against information security incidents. Some of the key requirements of this new APRA standard are that an APRA-regulated entity must:

• Clearly define the information security-related roles and responsibilities of the company's board, senior management and other governing bodies²;
• Maintain an information security capability that is appropriate for the size and extent of the threats to a company's information assets;
• Implement mechanisms to protect its information assets that is appropriate with the sensitivity of those information assets, and undertake periodic testing regarding the effectiveness of those mechanism; and
• Notify APRA of material information security incidents.

Where a company's information assets are managed by a related or third party, the APRA-regulated company must assess the information security capability of that party, with special attention paid to the potential consequences of an information security incident affecting those assets.²

WHEN DOES THIS STANDARD TAKE EFFECT?

The new Prudential Standard CPS 234 commenced on 1 July 2019; however, where a third party manages an APRA-regulated entity's information assets, then the Standard's requirements will take effect from either the next renewal date with the third party or 1 July 2020, whichever occurs first.²

WHO MUST COMPLY?

This standard applies to all APRA-regulated entities. This includes:

• authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act;
• general insurers, non-operating holding companies authorised under the Insurance Act;
• life companies, including friendly societies, eligible foreign life insurance companies and non-operating holding companies registered under the Private Health Insurance (Prudential Supervision) Act; and
• RSE licensees under the Superannuation Industry (Supervision) Act in respect of their business operations.²

WHAT CAN COMPANY DIRECTORS AND OTHER SENIOR MANAGERS DO TO ENSURE COMPLIANCE?

In order for a company board to be able to effectively discharge their responsibilities under the CPS 234², they should:

• Develop a policy framework that provides direction on the responsibilities of all parties who have an obligation to maintain information security. This could include a clear outline for management as to how the board expects to be engaged, including the delegation of responsibilities, escalation of risks, issues and reporting requirements.³
• Classify information assets (including those managed by third parties) by criticality and sensitivity. This would include the degree to which an information security incident has the potential to affect the entity or the interests of depositors, policyholders, beneficiaries or other customers. This could also involve asset life-cycle management that ensures that information security requirements are considered at each stage, from planning and acquisition through to decommissioning and destruction.³
• Maintain robust mechanisms to detect and respond to information security incidents in a timely manner. Part of this is that boards must maintain plans to respond to information security incidents that could plausibly occur. This information security response plan must also include the mechanisms for managing all relevant stages of an incident – from detection to a post-incident review. An APRA-regulated entity must annually review and test its information response plans to ensure they remain effective.²
• Include monitoring processes to identify usual patterns of behaviour that could be followed by a security incident. Monitoring processes could range from the physical hardware to higher level business activities such as payments, and changes to user access. Some common monitoring techniques include: network and user profiling that establishes a baseline of normal activity which can then enable the detection of anomalous activity; scanning for unauthorised hardware, software and configuration changes; logging and alerting of access to sensitive data or unsuccessful logon attempts.³
• Include a review of the design and effectiveness of information security mechanisms including those maintained by third parties in the company's internal audit activities. Notify APRA within 72 hours if the board becomes aware of any information security incident that has materially affected or had the potential to materially affect the entity of the interests of depositors, policyholders, beneficiaries or other customers.²
• Develop a training and information security awareness program. This would communicate to personnel (including third parties) regarding information security practices, policies and other expectations as well as providing information to the Board to assist them in executing their duties. This could include education regarding: personal versus corporate use of information assets; email usage, social media usage and malware protection; physical protection, including for remote access and use of mobile devices; access controls, including standards relating to passwords and other authentication techniques; handling of sensitive data; and reporting of information security incidents and concerns.³

ARE THERE ANY OTHER HELPFUL RESOURCES?

To assist company board's and senior management, APRA has also developed a new Prudential Practice Guide 234 Information Security (CPG 234). APRA Executive Board Member Geoff Summerhayes has noted that much has changed in the information security landscape since APRA last updated its prudential guidance in 2012 with 'Australia's banks, insurers and superannuation funds are major targets of cyber-crime, and the risk is accelerating as attackers gain skill and technology sophistication. Unfortunately, it is only a matter of time until a significant cyber breach occurs at an Australian financial institution'.⁴

Footnotes

1APRA to introduce first prudential standard aimed at tackling growing threat of cyber attacks
2Prudential Standard CPS 234
3Prudential Practice Guide: CPG 234 Information Security
4APRA consults on updated guidance for managing information security risks

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.