APRA has released its first, cross-industry prudential standard on information security for consultation, designed to tackle cyber security incidents by setting minimum standards. Read more.
Draft Prudential Standard CPS 234 (draft CPS 234) extends the key Board requirements set out in Prudential Standard CPS 220 Risk Management and Prudential Standard SPS 220 Risk Management (CPS/SPS 220). Draft CPS 234 aims to address the possible exposure to information security risk across extended business environments – particularly where there are third party providers and reflects the constantly evolving nature of information security threats and vulnerabilities. Under draft CPS 234, APRA-related entities must now:
- clearly define the information-security related roles and responsibilities of the Board, senior management, governing bodies and individuals;
- establish and maintain information security capability proportionate to the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
- classify its information assets by criticality and sensitivity, and implement controls that are regularly tested to protect its information assets proportionate to the classification of those information assets;
- notify APRA of any information security incidents that materially affected, or had the potential to materially affect, the entity or the interests of depositors, policyholders, beneficiaries, or other customers; and
- notify APRA of any information security incidents that required notification to other regulators in Australia or overseas.
Draft CPS 234 will apply to authorised deposit-taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities, and authorised or registered non-operating holding companies. The proposed information security standard is part of a broader APRA project to update its existing prudential standards and guidance in respect of the management of operational risk.
Submissions close 7 June 2018.