Board members of APRA regulated entities have additional responsibilities to understand and engage with information security matters.
APRA regulated entities are now required to maintain security capabilities commensurate with the size and extent of the threats to the information assets they hold. These capabilities must be regularly tested and reviewed.
APRA are implementing a new notification regime for data security incidents.
From 1 July this year, APRA-regulated entities will be required under Prudential Standard CPS 234 on Information Security (Standard), to ensure their resilience against information security incidents. They will do this by developing information security capabilities commensurate with the information security vulnerabilities inside their organisations, as well as the threats to which they may be exposed. The Standard also imposes requirement on regulated entities in terms of the way those entities respond to and remedy information security breaches.
Broadly, the Standard requires APRA-regulated entities to:
Compliance with the Standard is of particular importance for clients in the financial sector, given that by virtue of the wealth of data they hold, these organisations are common targets for cyber-attacks, particularly given their increasing use of technology to deliver operational efficiency and greater service to customers.
APRA's primary intention is to heighten Board engagement with information security, by placing ultimate responsibility for it on the Board of a regulated entity. It is expected that the Board, senior management, and governance personnel be fully engaged both in enacting methods of prevention and remedying information security incidents, and have general responsibility for the entity's information security functions, including decision-making, approval, oversight and operations.
For our APRA-regulated clients, we envisage that the Standard will require ongoing education of Board members to ensure an understanding of information security issues within their organisations, including vulnerabilities and potential threats posed by a dynamic and rapidly evolving digital environment, as well as knowledge of any major changes that arise to their risk profile.
The Standard outlines the importance of an entity understanding its information assets, as part of ensuring ongoing security. This is not only a question of what information is held, but also the form in which it is held and the levels of criticality and sensitivity applied to it. Banks and insurers for example, as major custodians of personal and sensitive information, will be required to categorize the information they hold in accordance with this metric, and apply higher or lower levels of security as required.
The Standard also requires entities to engage in ongoing analysis of their own threat environment, noting that this environment is in a constant state of change. Whilst it is important that entities focus on direct threats, the inter-connectedness of the digital environment also means that non-specific, unidentified threats must also be considered and protected against. The Standard implores entities to plan around an ever-growing range of threats.
In response to the ever-changing nature of information security threats, APRA also requires that an entity's security systems be tested consistently. Traditionally, the most common methods of information security testing are penetration and disaster recovery testing, however the Standard now requires a more involved and considered approach. Although this approach is ultimately at the discretion of the entity, plans that set out how the entity responds to incidents (such as data breach and disaster recovery plans) should be put in place. Such plans must also be tested and reviewed each year to ensure they are sufficient and current.
Where information security capabilities are provided by a third party, internal audits must involve assessing the strength of the information security and quality controls utilised by that third party provider. The same requirements that would otherwise be placed on an APRA regulated entity under the Standard are expected to be met by those providers. Ultimate responsibility for such assessments rests with the Board. This is particularly relevant given the growing use of cloud services in the market and entities are encouraged via the Standard to consult with APRA before engaging such providers.
Where an entity suffers an information security incident, APRA will require notice of that incident (as soon as possible, but in any event, within 72 hours) and the recognised weakness in the entity's internal controls (if the weakness, once recognised, cannot be addressed within 10 days of identification). Further, APRA requires notification where an incident has occurred in another jurisdiction, regardless of whether any other regulators have been notified. The form of the notification is set out in more detail in the Standard.
These requirements, of course, apply in addition to the notification requirements in respect of personal information-related data breaches pursuant to the Mandatory Data Breach Notification Scheme under the Privacy Act 1988 (Cth).
In March this year, APRA released a draft Prudential Practice Guide 234 on Information Security, which is currently in its consultation stage and which aims to assist APRA-regulated entities in complying with the Standard.
Ultimately, the Standard places a higher burden on entities both in taking measures to secure their information, and addressing both potential and actual information security incidents. Going forward, entities will be expected to be much more proactive in the area of information security. For further information and assistance in understanding your obligations under the Standard, please visit the APRA website or get in touch with your contact at MinterEllison.
APRA regulated entities will have to consider the following:
MinterEllison can assist you in understanding how these additional information security requirements affect you. Our IT consultancy team, ITNewcom, can assist you with technical concerns and requirements relating to your data security systems.