On 25 March 2018 APRA released for consultation a draft of Prudential Practice Guide 234 Information Security (‘CPG 234’). Accompanying the release was a letter inviting written submissions on the draft. The purpose of CPG 234 is to assist APRA regulated entities in complying with Prudential Standard CPS 234 Information Security (‘CPS 234’) which commences 1 July 2019. The draft offers valuable insight into the degree of information security capability APRA will expect of regulated entities following commencement of CPS 234.

Importantly, CPG 234 clarifies that Boards of regulated entities should, in order to more effectively discharge their responsibilities under CPS 234, take a more proactive role in working with management on the information security capability of the entity.

Background

APRA released the final version of CPS 234 on 7 November 2018. The purpose of CPS 234 is to ensure APRA regulated entities take measures to be resilient against information security incidents by maintaining an information security capability commensurate with information security vulnerabilities and threats. A ‘regulated entity’ includes entities regulated under the Banking Act 1959 (Cth), Insurance Act 1973 (Cth), Life Insurance Act 1973 (Cth), Private Health Insurance (Prudential Supervision) Act 2015 (Cth) and Superannuation Industry (Supervision) Act 1993 (Cth).

CPS 234 is significant in that it is the first prudential standard in Australia addressing information and cyber security. Compliance with the CPS 234 is mandatory for regulated entities. Read more about CPS 234 and the obligations it imposes on regulated entities in a previous alert.

CPG 234

CPG 234 will replace CPG 234 Management of Security Risk in Information and Information Technology. It provides detailed practical guidance on how regulated entities can meet their information security obligations under CPS 234. It also highlights areas where weaknesses in regulated entities’ information security management practices continue to be identified as part of APRA’s ongoing supervision activities.

Greater board engagement

The draft CPG 234 gives guidance on APRA’s view of Board obligations under CPS 234 to oversee information security capability. According to the draft of CPG 234, to discharge their obligations in this respect Boards could:

  • outline to management how they expect to be engaged with and reported to regarding information security capability
  • consider the sufficiency of the entity’s information security capability in relation to vulnerabilities and threats
  • when appropriate, challenge management on the sufficiency of information security capability reporting and testing

As CPS 234 is a mandatory prudential standard, Boards of regulated entities and their advisors should pay close attention to any guidance on how they can comply with it. The draft CPG 234 provides useful insight into what APRA will expect of Boards following the commencement of CPS 234 on 1 July 2019 this year.

Summary of CPG 234

CPG 234 is divided in 10 chapters. The table below summarises each Chapter and the guidance APRA provides:

DAPRA's guidance

Considerations for the board

Boards of regulated entities should consider:

  • clearly outlining to management how the Board expects to be engaged regarding cyber security matters
  • the regulated entity’s information security capabilities
  • whether information security policies reflect Board considerations
  • regularly seeking assurance from management regarding the effectiveness of the information security control environment and the testing of that environment
  • sufficiency of internal audit’s coverage, skills, capacity and capabilities

Roles and responsibilities

Boards of regulated entities should clearly outline how they expect to be engaged with respect to information security, including escalation of risks, issues and reporting. Information security roles and committees within regulated entities should be well defined.

Information security capability

Regulated entities should assess the sufficiency of their information security capability and specialise these capabilities. The capabilities should evolve in response to changes in the information security environment.

Where a regulated entity places reliance on the information security capabilities of third parties, it should assess the third party’s information security capabilities. This should be done through a combination of interviewing, service reporting, control testing, certifications, attestations, referrals, and independent assurance assessments.

Policy Framework

A regulated entity’s information security policy should be structured as a hierarchy, with higher level policies supported by underlying standards, guidelines and procedures. Policy frameworks should be informed by a set of information security principles. Common information security principles are provided in Attachment A of CPG 234.

Information asset identification and classification

Regulated entities should thoroughly understand their information assets and the impact of security compromise of those assets. Information assets must be classified by criticality and sensitivity.

A classification methodology should be maintained that provides clarity as to what constitutes an information asset, and rates criticality and sensitivity.

Implementation of controls

Regulated entities must have information security controls to protect their own information assets commensurate with the stage at which the information assets are within their life cycle. This includes ensuring that, for an information asset, information security controls remain effective at each stage of its life cycle, and responsibility for its information security is formally allocated to an information asset owner.

Information security vulnerabilities pertaining to information assets should be identified and remediated quickly. This may involve:

  • implementing mechanisms that access and analyse threat intelligence
  • engaging with stakeholders regarding threats and countermeasures
  • developing tactical remediation strategies

Information asset vulnerabilities must be minimised by updating hardware and software. A technology refresh plan with committed resourcing may facilitate this. Systems that cannot be adequately updated should be decommissioned.

Physical and environmental controls should be in place to protect information assets. These controls will commonly be provided through professionally managed data centres as part of third party or related party arrangements.

Use of cryptographic techniques to control access to sensitive data, both in storage and in transit, may be considered. Further detail on this suggestion is provided in Attachment E of CPG 234.

Incident management

Regulated entities must have robust detection mechanisms in place to detect and respond to actual or potential compromises of information security. These may include:

  • scanning, sensing and logging mechanisms
  • monitoring processes to identify unusual patterns of behaviour

Common monitoring techniques include:

  • network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity
  • scanning for unauthorised hardware and software
  • users with privileged access accounts subject to a greater level of monitoring

Where incident response requires third party collaboration and coordination between the regulated entity and third parties or related parties, roles should be agreed upon. This may include formalisation of points of integration between third party or related party incident response plans.

Testing control effectiveness

In order to systemically test information security controls, regulated entities should maintain a program which validates the design and operating effectiveness of controls over time. A variety of testing approaches should be considered, and tests should be conducted by appropriately skilled and functionally independent specialists. Further detail on this suggestion is provided in Attachment G of CPG 234.

Internal audit

Regulated entities must have an internal audit function that reviews the design and operating effectiveness of information security controls. This involves a program that assesses all aspects of the security environment over time.

Where reliance is placed on assurance provided by third parties and related parties, internal audit must assess the information security control assurance provided by the third party or related party.

Notification

Regulated entities must notify APRA of certain information regarding security incidents, including the date and time of the incident, the incident type, and mitigation actions taken or planned.

They must also notify APRA of certain information security control weaknesses. These weaknesses can be identified through a number of mechanisms such as control testing, assurance activities, information security incidents, vulnerability notification by software and hardware vendors and other forms of notification by third parties and related parties.

What’s next?

Regulated entities preparing for the commencement of CPS 234 should pay close attention to the draft CPG 234, and any amendments made to it before the final draft is released. Submissions to the draft close 17 May 2019.