Following consultation earlier in the year (see: Governance News 09/03/2018), the Australian Prudential Regulation Authority (APRA) has released the final version of its prudential standard: Prudential Standard CPS 234 Information Security (CPS 234) to strengthen APRA regulated entities' resilience against information security incidents and their ability to respond in the event of an incident. APRA has also released its response to issues raised during the consultation process.
Application of the new standard
The new standard will apply to all APRA regulated entities. This includes all authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers, licensees of registrable superannuation entities and authorised non-operating holding companies.
- All APRA-regulated entities are expected to meet the new requirements by 1 July 2019.
- A transition period has been included for those aspects of the new standard that apply to information assets managed by third parties. Regulated entities will have until the earlier of the next contract renewal date or until 1 July 2020 to ensure third party arrangements comply with the new requirements.
- APRA expects to release a revised CPG 234 Management of Security Risk in Information and Technology in the first half of 2019 to provide guidance on the implementation of CPS 234.
- Why is this so urgent? Commenting on the implementation timeframe APRA Executive Board Member Geoff Summerhayes said that 'fast-tracking' implementation of the new standard was justified given the high level of risk: 'A significant information security breach at an APRA-regulated entity is almost certainly a question of when – not if. In a worst-case scenario, a major breach could even force a company out of business. As a result, APRA is fast-tracking implementation of this standard' he said.
New requirements — some key points
- The board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security. More particularly the new standard requires that the board must 'ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets and which enables the continued sound operation of the entity'.
- Clearly defined roles/responsibilities: The new standard also requires that APRA regulated entities 'clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security function'.
- The new standard applies to 'all information assets managed by service providers', this includes 'all outsourcing of information assets, whether or not those assets form part of the outsourcing of material business activities' ie the new requirements on 'information security capability, information asset identification and classification, implementation of controls, testing control effectiveness and internal audit would apply to information assets, including those assets managed by related parties and third parties'.
- Identifying and classifying information assets: The new standard requires regulated entities to classify all information assets by both 'criticality and sensitivity…irrespective of whether the regulated entity manages the information assets itself, or the information assets are managed by a third party or related party'. Rather than establishing a threshold whereby controls would only apply to information assets deemed ’material’, APRA writes, the classification of assets in this way is intended to allow an entity to apply 'proportionate controls by assessing the impact of a loss of confidentiality, integrity and availability of each information asset'.
- Implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls: eg regulated entities will be required to annually review and test their information security response plans and internal audit activities will be required to include a review of the design and operating effectiveness of information security controls including those maintained by third parties.
Breach notification requirements
- The new standard requires that entities notify APRA of material information security incidents no later than 72 hours 'after becoming aware' of them. Initially APRA proposed that the notification timeframe would be 24 hours. APRA comments that the 72 hour timeframe 'will provide regulated entities with appropriate time to properly assess an information security incident and determine how to deal with the issue' and also align with the breach notification regimes of other regulators.
- The new standard also requires that entities notify APRA 'as soon as possible' (no later than 10 business days) after becoming aware of a material information security control weakness 'which the entity expects it will not be able to remediate in a timely manner'. This timeframe has been extended from the 5 days initially proposed.
- APRA comments that submissions received in response to consultation generally requested clarity as to the nature and form of notifications required to be provided to APRA and that in response, it plans to provide further guidance on the nature and form of notification requirements. APRA expects to do this via revisions to CPG 234 Management of Security Risk in Information and Technology. APRA adds that as a minimum it would expect an entity to advise APRA of the regulators who have been informed and the nature of the incident.
APRA will shortly be undertaking consultation on an updated cross-industry prudential practice guide on information security, which will replace the current Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology to assist entities in fulfilling their requirements.
Further changes to come…
APRA states that the issue of CPS 234 is part of a broader APRA project to review and update APRA’s prudential framework in respect of the management of operational risk across all APRA-regulated industries. APRA states that it intends to consult on new and revised requirements and associated guidance on operational risk, outsourcing and business continuity management in 2019.
[Sources: APRA media release 7/11/2018; Prudential Standard 234 Information Security; Response Paper: Response to submissions — Information security: Cross-industry prudential standard]