A new Prudential Standard, APRA Prudential Standard CPS 234 (the Standard), which addresses information security, and is aimed in particular at combating the threat of cyber attacks, will come into effect on 1 July 2019.
The Standard applies to all 'APRA regulated entities', which includes authorised deposit taking institutions (ie banks), general insurers, life insurance companies, private health insurers, and registrable superannuation entity (RSE) licensees.
The key obligation under CPS 234 is that regulated entities must:
maintain information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.
This requires each regulated entity to assess its information security capability against the size and extent of any possible threat. The organisation's information security obligations will flow from this assessment, with the greater the threat, the more onerous its obligations.
Importantly, unlike Prudential Standard CPS 231 on Outsourcing, which applies only in respect of the outsourcing of a 'material business activity', this Standard applies to all activities of a regulated entity.
Summary of requirements
In summary, the requirements under the Standard are as follows:
- A regulated entity is required to clearly set out the information security related roles and responsibilities within the entity, to ensure that it is clear who has responsibility for oversight, operations, approval and decision making as well as other information security functions. These roles and responsibilities should encapsulate members of the Board, governing bodies, senior management as well as individuals throughout the organisation.
- An information security policy framework must be maintained in a manner that is consistent with the threats and vulnerabilities to which the entity is exposed.
- All information assets must be managed and classified by their criticality and sensitivity. These classifications are required to reflect the potential for an information security incident to affect the entity or its customers, beneficiaries or depositors, either financially or non-financially.
- Information security controls are required to ensure that the entity can protect its information assets. These controls must be tested through a systematic testing program to ensure that they are effective. The controls are required to be able to be implemented quickly and must be consistent with the vulnerabilities, threats, criticality and sensitivity of the information assets. They must also be consistent with the lifecycle stage of the information, as well as the potential consequences of an incident relating to the information.
- Mechanisms must be in place to ensure that information security incidents are detected and responded to quickly.
- Plans must be in place that set out how the entity will respond to incidents. These response plans must be tested and reviewed each year to ensure they remain appropriate.
- Internal audits must review the effectiveness and the design of all information security controls. These reviews must also encapsulate any controls held by third parties or related parties.
- The obligations on the regulated entity are not diminished because that entity's information assets are managed by a third party or by a related party. Where this is the case, the entity must ensure that the information security capability of that party is sufficient, bearing in mind the potential consequences of any information security incident that could occur in relation to those assets.
Information security incident reporting
Strict reporting requirements apply. APRA must be notified as soon as possible, but no later than 72 hours after an entity becomes aware of an information security incident, where that incident materially affects or could have materially affected the entity or where the incident has been notified to another regulator, whether in Australia or overseas.
If an entity discovers a weakness in its information security controls, it must notify APRA within 10 days of becoming aware of it.
These requirements are in addition to other notification requirements that the entity may have (for example, under the notifiable data breach scheme in the Privacy Act 1988 (Cth), or under the GDPR).
APRA's information security focus – cloud computing
APRA is clearly focussed at present on information security and the evolving ICT landscape. The Standard's final release followed shortly after APRA's Information Paper on 'Outsourcing Involving Cloud Computing Services'.
The Information Paper considers the risks associated with the outsourcing of various activities to the cloud, and divides them into three categories:
Low inherent risk
APRA considers low inherent risks to be those circumstances which could, if disrupted, present a minimal impact to the business operations of the entity or its ability to meet its obligations. This includes such disruptions as a compromise to the integrity, confidentiality or availability of systems or data.
Heightened inherent risk
APRA considers those circumstances 'involving critical and/or sensitive IT assets' to be circumstances that amount to a heightened inherent risk. This is where any issues or disruptions would create a significant impact on the ability of the regulated entity to meet its obligations or on its business operations or where any such issues would increase the likelihood of a disruption occurring. APRA expects that it be consulted about such an arrangement following the completion of the entity's internal governance process.
Extreme inherent risk
APRA considers that extreme inherent risk arrangements are those where an extreme impact could be the result of operations being disrupted. These extreme impacts, which can be both reputational and financial, could threaten the regulated entity's capability to continue to meet its obligations. APRA would expect to be consulted prior to the entity entering such an arrangement.
In the Information Paper, APRA also discusses a number of risk management considerations in relation to the use of cloud computing services, including:
- solution selection process
- APRA access and ability to act
- transition approach
- risk assessments and security
- implementation of controls
- ongoing oversight
- business disruption, and
- audit and assurance.
Outsourcing notification requirements
As mentioned above, CPS 231 applies in relation to the outsourcing of a 'material business activity'. CPS 231 requires that, upon entering into a material outsourcing agreement, a regulated entity must notify APRA. 'Material business activity' is defined as an activity that 'has the potential, if disrupted, to have a significant impact on the regulated institution's business operations or its ability to manage risks effectively'. In its Information Paper on 'Outsourcing Involving Cloud Computing Services', APRA recommends that, in undertaking this materiality assessment, consideration be given to the sensitivity as well as the criticality of the IT assets involved and the manner in which the services are to be used.
Perspectives on Cyber Risk 2019
For an overview of other recent regulatory developments in data and information security, please refer to our Perspectives on Cyber Risk 2019 report.