In light of the growing threat of cyberattacks, the Australian Prudential Regulation Authority (APRA) has released a draft cross-industry standard for information security management. APRA's draft standard titled Prudential Standard CPS 234 Information Security (Standard) is the first of its kind to address information and cyber security.

The proposed Standard aims to enhance the robustness of Australia's financial institutions against cyberattacks by imposing baseline information security standards to help entities guard against, detect and effectively respond to attacks. The draft Standard requires regulated entities to:

  • clearly define the information security related roles and responsibilities of its board, senior management, governing bodies and employees;
  • maintain information security capabilities proportionate to the their potential threats to information assets;
  • implement controls to protect information assets, including systematic testing of their effectiveness; and
  • notify APRA within 24 hours of experiencing a material information security incident or an information security incident that has already been notified to other regulators in Australia or overseas.

The draft Standard would apply to authorised deposit taking institutions, general insurers, life insurers, private health insurers, licensees of registerable superannuation entities and authorised or registered non-operating holding companies.

APRA is seeking feedback on the proposed Standard with written submissions due by 7 June 2018. The draft Standard can be accessed here. A copy of APRA's discussion paper can be accessed here.