Proposed draft prudential standard CPS 234 Information Security
Why the new standard is necessary: APRA states that the proposals in the proposed draft prudential standard CPS 234 reflect the following:
-
The need to address 'a clear gap in APRA’s prudential framework' and to set 'minimum requirements for the management of information security across an entity'.
-
The need to address 'an entity’s exposure to the risk of information security incidents exists across its extended business environment, including information and information technology managed by third-party providers (e.g. cloud providers)'.
-
The need to address weakness in industry’s information security management practices revealed in cyber security surveys conducted by APRA and other supervisory activities.
-
The need for all entities to address rapidly evolving nature of information security threats and vulnerabilities.
APRA adds that 'a key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of information assets, including information assets managed by related parties or third parties'.
'Preparedness is vital': APRA states that in its view 'All APRA-regulated entities (entities) must operate on the basis that information security attacks are and will continue to remain a significant threat. Accordingly, the management of information security should be based on the expectation that significant cyber security incidents will be experienced. While to date, no entity has suffered material losses from an information security incident, and security controls have protected against past attacks, APRA strongly believes that past experience is not grounds for complacency. In APRA’s view, preparedness is vital'.
Key points: Proposed new prudential standard CPS 234
The proposed APRA Prudential Standard CPS 234 (Information security) would require APRA regulated-entities (authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers, licensees of registrable superannuation entities (RSE licensees) and authorised or registered non-operating holding companies) to:
-
Information security is a board responsibility: APRA states that 'The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security'. Draft CPS 234 proposes to require entities to clearly define the information security related roles and responsibilities of the board, senior management, governing bodies and individuals. The Discussion Paper notes that in implementing this requirement ADIs will need to 'have regard to the recently enacted Banking Executive Accountability Regime (BEAR) legislation, which requires an ADI to nominate a senior executive with responsibility for ’information management, including information technology systems for the ADI’.
-
Maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity.
-
Implement information security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls.
-
Have robust mechanisms in place to detect and respond to information security incidents in a timely manner.
-
Notify APRA of material information security incidents within 24 hours.
APRA adds that the proposals in draft CPS 234 were informed by discussions with industry bodies and service providers during 2017 and build on prudential guidance released by APRA in 2010 (CPG 234). The focus, APRA states, is on setting minimum requirements for an entity’s management of information security.
Mr Summerhayes said that 'Despite APRA’s broad satisfaction with industry’s approach to cyber security to date, there is absolutely no room for complacency. We expect all entities will need to lift their efforts to comply with the new standard'.
Timeline: Consultation will close on 7 June 2018. Following the close of this consultation, APRA anticipates that the finalised prudential standard CPS 234 will be released in Q4 2018 (Mr Summerhayes stated that APRA is aiming to finalise the new standard in November) and come into effect on 1 July 2019. A discussion paper outlining CPS 234 in greater detail is now available on the APRA website.
Key Points: Address by Geoff Summerhayes to the Insurance Council of Australia Annual Forum
-
Inevitability of a significant cyber incident: 'Australia is the number one target of malicious software in the Asia Pacific region' and though no APRA regulated entity has suffered significant loss due to a cyber incident to date it's 'not for want of trying by cyber criminals' as indicated by the breaches that have occurred outside Australia, Mr Summerhayes said. He added 'APRA can only hope such incidents act as a regular jolt to the circuit board of Australian institutions, reminding them that a significant cyber incident on an APRA-regulated entity is probably inevitable'.
-
Entities should adopt an 'Assumed breach posture': Mr Summerhayes stated that 'APRA recommends all entities adopt an ‘assumed breach’ posture; in other words, you should presume that, at some point, your organisation will experience a significant cyber security incident. Our view is that the maturity of regulated entities’ ability to respond to and recover from cyber security incidents varies considerably, although it seems to be improving'.
-
Areas for improvement or increased vigilance is warranted: Mr Summerhayes said that though 'APRA believes cyber security is generally well-handled by the entities we regulate' increased 'vigilance' is warranted eg a 'disciplined approach' to information hygiene, patching against known vulnerabilities; keeping systems current; and 'vigilance regarding access management (particularly privileged access – the ‘keys to the kingdom’) is also fundamental'.
-
'A sense of urgency is paramount given the scale of the threat and the speed with which it’s evolving as the digital world expands'. Mr Summerhayes said that the proposed new standard CPS 234, is designed to assist entities to be 'better prepared to safeguard the security of the data they hold and money they manage on behalf of their customers. Adopting an assumed breach mentality will create a sharper focus on incident detection and response capabilities and planning. This accelerating risk requires a rapid response, but also recognition that your stamina will be sorely tested. The challenge requires ongoing vigilance, improvement, investment and oversight because, though this race has no finish line, it’s not a contest you can afford to lose'.
-
Cybersecurity is now a board responsibility: Mr Summerhayes emphasised that the release of the new prudential standard should be viewed as 'an indication of just how seriously APRA views the issue of cyber security'. Commenting on the new standard Mr Summerhayes said that it would 'reinforce that boards have ultimate responsibility for their entity’s information security, requiring it to be sufficient to enable, under all reasonable circumstances, the entity to meet its obligations. In order to do this, regulated entities will be expected to maintain sufficient information security capability to deal with changing vulnerabilities and threats, and continually test this for effectiveness. The standard will also require regulated entities to be able to detect and respond to information security incidents in a timely manner. In line with APRA’s Business Continuity Plan standard, regulated entities will be expected to notify APRA within 24 hours of experiencing a material information security incident'.
-
APRA to consider requesting formal independent audits of compliance in future: Mr Summerhayes said that once the standard is in place, APRA would start assessing compliance in the normal way, but would consider requesting formal independent audits of compliance in due course. He added that the regulator is also strengthening internal capabilities in the area: 'In this way, our frontline supervisors will be better equipped to engage with you, assess your cyber preparedness, and give guidance on any areas that warrant improvement'.
Broader context of the proposed reform
-
Part of a broader project — APRA plans further consultations on broader operational risk requirements in 2018: The discussion paper outlines that the release of the draft standard is part of a broader project to update its existing prudential standards and guidance across all APRA-regulated industries regarding operational risk, including updated standards on outsourcing and business continuity management. The objective of this project, APRA writes, is to align prudential requirements to sound industry practice, and community expectations for a high degree of resilience to material operational risk incidents. APRA’s intention is to also outline broad based expectations for operational risk and resilience that aligns to the overarching risk management framework. APRA notes that the discussion paper prioritises the consultation on information security management, given that APRA does not have existing requirements in this area. APRA intends to consult on broader operational risk requirements later in 2018.
-
For private health insurers, Mr Summerhayes stated in his address (referenced above) that the proposals in this paper form part of Phase one of the private health insurance prudential policy roadmap. The roadmap outlines APRA’s intention to review aspects of the prudential framework relating to operational risk, including business continuity management and outsourcing, as part of a broader APRA project to refresh those requirements across all APRA-regulated industries.
[Sources: APRA Geoff Summerhayes speech to the Insurance Council of Australia Annual Forum Computer Terminal Velocity: APRA's response to accelerating risk 07/03/2018; APRA media release 07/03/2018; APRA discussion paper: Information security management: A new cross industry prudential standard; Draft prudential standard CPS 234 Information security]