APRA issues new cybersecurity standard

A new prudential standard has been released to boost the resilience of APRA-regulated entities against information-security incidents and their ability to swiftly and effectively respond to breaches.

Starting July 1, Prudential Standard CPS 234 Information Security will take effect, requiring all authorised deposit-taking institutions, insurers, superannuation licensees, and authorised non-operating holding companies to:

• clearly define information-security related roles and responsibilities
• maintain an information-security capability commensurate with the size and extent of threats to their information assets
• implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls
• promptly notify APRA of material information-security incidents

“A significant information security breach at an APRA-regulated entity is almost certainly a question of when – not if,” said Geoff Summerhayes, APRA’s executive board member. “In a worst-case scenario, a major breach could even force a company out of business. As a result, APRA is fast-tracking implementation of this standard, and expects all regulated entities to meet its requirements by 1 July next year.”

APRA said it will soon update Prudential Practice Guide CPG 234 Management of Information and Information Technology to help entities fulfil their new cybersecurity obligations.

Visit APRA’s website for more information about the new prudential standard.