- APRA to introduce new prudential standard focusing on cyber threats
In an effort to respond to the growing threat of cyber-attacks, APRA has proposed its first cross-industry prudential standard on information security.
Whilst long overdue, it will have a significant impact going forward, with onerous requirements such as reporting within 24 hours. This will require a massive increase in cyber maturity and capability for financial services organisations as well as a continuing focus on culture, which has been a strong area of focus for APRA.
Cyber security is far too important to be left to only the technology or compliance teams – it is a challenge that affects everyone across the business. You can read our latest Cyber Security report here on the new privacy laws that are now effective, including mandatory data breach notifications to inform when a data breach has occurred.
The proposed new standard, CPS 234, was released this week as part of a package of measures titled Information Security Management.
The key requirements of the draft standard are that an APRA regulated entity must:
- Clearly define the information-security related roles and responsibilities of the Board, and of senior management, governing bodies and individuals.
- Maintain information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.
- Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls.
- Notify APRA of material information security incidents.
The draft prudential standard CPS 234 can be found here.
The draft emphasises the importance of responsibilities relating to information security stating that the Board holds ultimate responsibility. Unlike many of APRA’s prudential standards, it specifically calls out the requirement for internal audit to include a review of the design and operating effectiveness of information security controls, including those maintained by related and third parties as part of their audit activities.
As the industry moves further towards digital solutions it is vital that entities ensure they have a robust approach to information security. With this package of measures, APRA has clearly acknowledged the increasing threat of cyber-attacks for Australian entities. As stated by APRA Executive Board Member, Geoff Summerhayes, “complacency is not an option”.
Submissions on the package are open until 7 June 2018 with a view to implementing CPS234 from 1 July 2019.
The team at Grant Thornton can provide assistance in developing and enhancing your approach to information security in order to be prepared against cyber threats and the meet the changing regulatory requirements.
If you have any questions, please get in touch.