Financial services in Australia are now subject to increased cyber-security and information security regulation.
Effective 1 July 2019, APRA-regulated entities must ensure their information security capabilities comply with a new prudential standard issued by the Australian Prudential Regulatory Authority (APRA), CPS 234. These enhanced information security obligations seek to ensure the continued sound operation of entities holding sensitive information despite the rise and variety of information security threats, vulnerabilities and incidents. Notifications of material information incidents must be provided to APRA within 72 hours.
Who must comply?
CPS 234 applies to APRA-regulated entities. This sweepingly broad category includes authorised deposit-taking institutions (banks, credit unions, building societies), general insurers, life companies including eligible foreign life insurance companies, private health insurers and registrable superannuation entity licensees (superannuation funds). Entities using third party information-security service providers have a further period of up to 12 months to comply.
What is required?
CPS 234 requires entities to ‘maintain information security in a manner commensurate with the size and extent of threats to information assets’. It essentially requires an uplift in security capability to detect and manage ever-changing security risks to certain information. Current and emerging threats are widely acknowledged to relate to payments and card fraud, geo-positional hacking, mobile app weaknesses, attacks on supply chains and critical infrastructure. CPS 234 sets out steps to take (summarised below).
How far-reaching is the regulation?
CPS 234 has broad application. It applies to the 'information assets' of APRA-regulated entities. Information assets are defined widely to include information and information technology, including hardware, software and data in hard or soft copy. It also applies to all activities undertaken by the organisation not just material or core business activities.
Are there additional reporting obligations?
CPS 234 introduces specific, time-sensitive reporting obligations in relation to compromised or vulnerable information security:
Who is ultimately responsible?
Failures to comply with CPS 234 will rest with the Board. To satisfy their obligations, Boards will need to ensure there are effective controls, security governance, skilled personnel and information security frameworks to minimise the impact of information security incidents on the confidentiality, integrity and availability of information.
What does it mean for the financial services industry and data-driven businesses generally?
CPS 234 is an example of the ever-increasing regulation of data and the attempts to combat cyber threats and information security vulnerabilities generally. CPS 234 requires a pro-active rather than reactive approach to security and extends to vast quantities of information (in soft or hard copy), as well as to information technology itself. In this context, classification of all information and the environments within which it exists, is fundamental to complying with a standard that changes depending the ‘size and extent’ of the threat. In addition, CPS 234 is an example of the growing number of potential notifications to regulators based on compromised or threatened data. With these developments, there has never been a greater need for mature data governance frameworks within all organisations.
APRA-regulated entities should review their information security-related roles, teams, policies and processes to determine the required uplift to meet CPS 234 and ensure on-going compliance. This will involve:
Author: Lisa Fitzgerald
Lisa Fitzgerald, Partner
T: +61 3 9321 9714
Lyn Nicholson, General Counsel
T: +61 2 8083 0463
Trent Taylor, Partner
T: +61 7 3135 0668
Andrew Hynd, Partner
T: +61 7 3135 0642
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.