21 January 2019
The content of a recently released Australian Prudential Regulation Authority (APRA) CPS Standard (Standard) which will apply from 1 July 2019 broadens the obligations of APRA-regulated entities beyond other cybersecurity obligations, including relevant provisions in the Privacy Act 1988 (Cth).
The Standard requires APRA-regulated entities to notify APRA as soon as possible, and in any case, no later than 72 hours after becoming aware of an information security incident that materially affected, or had the potential to materially affect the entity or the interests of depositors, policy holders, beneficiaries or other customers, or has been notified to other regulators (either in Australia or overseas). An information security incident can be interpreted quite broadly, as an actual or potential compromise of information security (whether by loss of confidentiality, integrity or availability of information assets).
Whereas the usual breach notification requirements in the Privacy Act take into account whether a data breach has been remediated, (in such cases it would not need to be notified), the obligation in the Standard is much broader, and requires notification of potentially material incidents. By mandating a maximum timeframe of 72 hours, the obligation to notify also becomes time-critical. The Privacy Act requires an organisation to notify of a confirmed data breach as soon as possible, but, in contrast, stipulates that where there is only a suspicion of a breach, an assessment must be conducted within 30 days. The Privacy Act is also limited to unauthorised access or loss of personal information, whereas the Standard extends to any information security incident (where for example the data at risk may be anonymised financial data or data that, if compromised may affect the entity, regardless of whether an individual is affected).
APRA-regulated entities should look to update their information security policies and processes to accommodate the coming changes and to ensure compliance within their own organisations, and by their service providers.
The Standard also contains principles-based obligations regarding the responsibility of an organisation’s board for information security, the importance of maintaining information security capabilities and policy frameworks proportionate and relevant to the size and extent of threats it faces. Further, it also provides that APRA-regulated entities have the requirements to assess capabilities of third party providers, to classify information assets, implement various information security controls, audits and testing, and have mechanisms for incident management and response plans.
Dan Pearce, Partner
T: +61 3 9321 9840
Lyn Nicholson, General Counsel
T: +61 2 8083 0463
Trent Taylor, Partner
T: +61 7 3135 0668
Andrew Hynd, Partner
T: +61 7 3135 0642
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.