APRA releases first prudential standard on internet security

Stakeholders are urged to submit feedback until June

APRA releases first prudential standard on internet security

Insurance News

By Mina Martin

In response to the growing threat of cyber attacks, the Australian Prudential Regulation Authority (APRA) has proposed its first prudential standard on information security.

APRA is seeking feedback on CPS 234, titled Information Security Management: a new cross-industry prudential standard – a package of measures aimed to enhance the ability of APRA-regulated entities to repel cyber attacks, or quickly and effectively respond in the event of a breach, with submissions closing on June 7.

The proposed new standard would require regulated entities to:

  • clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies, and individuals;
  • maintain information-security capability proportionate with the size and extent of threats to information assets;
  • implement information-security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls;
  • have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and
  • notify APRA of material information-security incidents.

Geoff Summerhayes, APRA executive board member, said the draft standard built on prudential guidance first released in 2010 and backed it with the force of law.

"Australian financial institutions are among the top targets of cyber criminals seeking money or customer data, and the threat is accelerating," Summerhayes said. "No APRA-regulated entity has experienced a material loss due to a cyber incident, but a significant breach is probably inevitable. In a worst-case scenario, a cyber attack could even force a company out of business."

The prudential regulator seeks to improve standards in key areas including assurance over the cyber capabilities of third parties such as service providers, and enhancing entities’ ability to respond to and recover from cyber incidents.

"Cyber security is generally well-handled across the financial sector, but with criminals constantly refining and expanding their tools and capabilities, complacency is not an option," Summerhayes said. "Implementing legally-binding minimum standards on information security is aimed at increasing the safety of the data Australians entrust to their financial institutions and enhance overall system stability."

The consultation package can be accessed on APRA’s website.

APRA aims to finalise the proposed standards toward the end of the year and enforce it starting July next year.

 

Keep up with the latest news and events

Join our mailing list, it’s free!