New board requirements and responsibilities: information security

4 minute read  02.05.2019 Anthony Borgese, Alexander Horder, Aaron Bicknell

APRA prudential standard CPS 234 imposes additional obligations on regulated entities in matters of information security, and requires company boards to take more responsibility in ensuring the security of the data they hold.

Key takeouts

Board members of APRA regulated entities have additional responsibilities to understand and engage with information security matters.

APRA regulated entities are now required to maintain security capabilities commensurate with the size and extent of the threats to the information assets they hold. These capabilities must be regularly tested and reviewed.

APRA are implementing a new notification regime for data security incidents.

From 1 July this year, APRA-regulated entities will be required under Prudential Standard CPS 234 on Information Security (Standard), to ensure their resilience against information security incidents. They will do this by developing information security capabilities commensurate with the information security vulnerabilities inside their organisations, as well as the threats to which they may be exposed. The Standard also imposes requirement on regulated entities in terms of the way those entities respond to and remedy information security breaches.

Broadly, the Standard requires APRA-regulated entities to:

  • clearly define information-security roles and responsibilities within the organisation;
  • maintain an information security capability commensurate with the size and extent of threats to that entity's information assets;
  • implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
  • promptly notify APRA of material information security incidents.

Compliance with the Standard is of particular importance for clients in the financial sector, given that by virtue of the wealth of data they hold, these organisations are common targets for cyber-attacks, particularly given their increasing use of technology to deliver operational efficiency and greater service to customers.

Board and management responsibility

APRA's primary intention is to heighten Board engagement with information security, by placing ultimate responsibility for it on the Board of a regulated entity. It is expected that the Board, senior management, and governance personnel be fully engaged both in enacting methods of prevention and remedying information security incidents, and have general responsibility for the entity's information security functions, including decision-making, approval, oversight and operations.
For our APRA-regulated clients, we envisage that the Standard will require ongoing education of Board members to ensure an understanding of information security issues within their organisations, including vulnerabilities and potential threats posed by a dynamic and rapidly evolving digital environment, as well as knowledge of any major changes that arise to their risk profile.

Understanding your information assets

The Standard outlines the importance of an entity understanding its information assets, as part of ensuring ongoing security. This is not only a question of what information is held, but also the form in which it is held and the levels of criticality and sensitivity applied to it. Banks and insurers for example, as major custodians of personal and sensitive information, will be required to categorize the information they hold in accordance with this metric, and apply higher or lower levels of security as required.

Understanding your threat environment

The Standard also requires entities to engage in ongoing analysis of their own threat environment, noting that this environment is in a constant state of change. Whilst it is important that entities focus on direct threats, the inter-connectedness of the digital environment also means that non-specific, unidentified threats must also be considered and protected against. The Standard implores entities to plan around an ever-growing range of threats.

Increased testing and reporting obligations

In response to the ever-changing nature of information security threats, APRA also requires that an entity's security systems be tested consistently. Traditionally, the most common methods of information security testing are penetration and disaster recovery testing, however the Standard now requires a more involved and considered approach. Although this approach is ultimately at the discretion of the entity, plans that set out how the entity responds to incidents (such as data breach and disaster recovery plans) should be put in place. Such plans must also be tested and reviewed each year to ensure they are sufficient and current.

Where information security capabilities are provided by a third party, internal audits must involve assessing the strength of the information security and quality controls utilised by that third party provider. The same requirements that would otherwise be placed on an APRA regulated entity under the Standard are expected to be met by those providers. Ultimate responsibility for such assessments rests with the Board. This is particularly relevant given the growing use of cloud services in the market and entities are encouraged via the Standard to consult with APRA before engaging such providers.

Information security incidents and notification obligations

Where an entity suffers an information security incident, APRA will require notice of that incident (as soon as possible, but in any event, within 72 hours) and the recognised weakness in the entity's internal controls (if the weakness, once recognised, cannot be addressed within 10 days of identification). Further, APRA requires notification where an incident has occurred in another jurisdiction, regardless of whether any other regulators have been notified. The form of the notification is set out in more detail in the Standard.

These requirements, of course, apply in addition to the notification requirements in respect of personal information-related data breaches pursuant to the Mandatory Data Breach Notification Scheme under the Privacy Act 1988 (Cth).

Summary and further reading

In March this year, APRA released a draft Prudential Practice Guide 234 on Information Security, which is currently in its consultation stage and which aims to assist APRA-regulated entities in complying with the Standard.

Ultimately, the Standard places a higher burden on entities both in taking measures to secure their information, and addressing both potential and actual information security incidents. Going forward, entities will be expected to be much more proactive in the area of information security. For further information and assistance in understanding your obligations under the Standard, please visit the APRA website or get in touch with your contact at MinterEllison.

Implications on the financial sector/deposit taking industries generally

APRA regulated entities will have to consider the following:

  • Entities must consistently review and, if necessary, re-define information security roles within the company
  • Different types of information held by entities must be classified in accordance with the new standard
  • Directors must educate themselves as to the direct and indirect information security threats their company faces
  • Entities may be required to upgrade their information security capabilities to comply with the new standard
  • If not already in place, a regular testing regime must be implemented to assess any potential information security issues
  • Entities must comply with a new notification regime for data security breaches.

MinterEllison can assist you in understanding how these additional information security requirements affect you. Our IT consultancy team, ITNewcom, can assist you with technical concerns and requirements relating to your data security systems.


COVID-19: How can organisations respond, manage and mitigate the risks to business and the economy?

Our insights can help you navigate the uncertainty.