APRA-regulated entities may face additional reporting requirements in cases of data breach as a result of APRA's proposed new prudential standard on Information Security Management.
With the constant development of increasingly sophisticated and frequent cyber attacks, APRA recently identified the importance of resilience and preparedness for managing and protecting information against security threats. On 18 March APRA released the draft of CPS 234, its first prudential standard aimed at minimising the threat of cyber attacks for APRA-regulated entities.
The draft standard, CPS 234, requires APRA-regulated entities to implement measures to increase resilience against information security incidents, and imposes reporting obligations. The key requirements of the draft standard are that APRA regulated entities must:
- clearly define the information security related roles and responsibilities of the Board, and of senior management, governing bodies and individuals;
- maintain information security capacity commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
- implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
- notify APRA of material information security incidents.
Of particular note, paragraph 34 of the proposed standard requires APRA-regulated entities to notify APRA at the first opportunity, and no later than 24 hours, after experiencing an information security incident that:
"materially affected, or had the potential to materially affect the entity or the interests of depositors, policyholders, beneficiaries, or other customers; or
that other regulators have been notified about".
Paragraph 35 also creates an obligation on these entities to notify APRA within 5 days of identifying a material information security control weakness that it does not expect to be able to address in a timely manner.
Following the close of the consultation period on 7 June 2018, APRA anticipates that the finalised prudential standard CPS 234 will be released in the fourth quarter of 2018 and come into effect on 1 July 2019.
Existing reporting requirements for APRA regulated entities, in the event of a major data breach
APRA regulated entities may already have reporting obligations to ASIC, Office of the Australian Information Commission and ASX. The proposed prudential standard will add another layer of reporting for those entities. The existing reporting obligations include:
Under the Notifiable Data Breaches Scheme of the Privacy Act 1988
Part IIIC of the Privacy Act creates the Notifiable Data Breaches Scheme which establishes reporting requirements in cases of eligible data breaches (such as unauthorised access to personal information) for certain entities holding information about one or more individuals (see section 26WE).
Where an entity is aware there are reasonable grounds to believe an eligible data breach of the entity occurred it must prepare a statement to give to the affected individuals (the individual whose personal data is breached as well as anyone who may be at risk from the data breach) and the Office of the Australian Information Commission (sections 26WK-26WL). The statement must set out the identity and contact details of the entity, a description of the suspected eligible data breach, the kind(s) of information affected and recommendations for steps affected individuals should take in response to the suspected data breach.
The Privacy Act applies to a range of entities, including Australian Government agencies, businesses and NFPs with an annual turnover over $3 million.
Under the Corporations Act 2001 (Cth)
Companies that hold an Australian Financial Services Licence (AFSL) may have requirements to report to ASIC in the case of cyber attacks which disrupt their provision of financial services. There is an obligation to report significant breaches to ASIC under section 912D of the Corporations Act. This obligation can be triggered by a breach or likely breach of, for example, section 912A(1)(d) which requires the holder of an ASL to have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements.
For ASX listed entities
ASX listed entities are required to make immediate disclosure to the ASX where they become aware of information concerning themselves that a reasonable person would expect to have a material effect on the price or value of their securities (triggering Listing Rule 3.1). There are exceptions to this rule where the information remains confidential and a reasonable person would not expect the information to be disclosed. Failure to comply with Listing Rule 3.1 is an offence under section 674 of the Corporations Act to which civil penalties may apply.
Where there has been a significant cyber attack or information security breach, there may well be an obligation to notify under the ASX listing rules – particularly if a large number of customers are affected and the data breach is sufficiently serious to warrant notification under the Privacy Act.
What APRA regulated entities should do now
Regulators the world over are increasingly focused on information security and management of data breaches. The proposed APRA prudent standard CPS 234 has the potential to add to the existing regulatory regimes and introduce a further reporting obligation. There will be significant complexity associated with navigating reporting obligations under that standard, the Privacy Act, the Corporations Act and the ASX Listing Rules – each of which has a different test or requirement for notification and different reporting obligations. Those companies who are regulated under these various pieces of legislation should, in preparing information security management policies and data breach response plans, give careful consideration to protocols and procedures for managing legal reporting obligations. If a major cyber incident occurs, there will undoubtedly be pressure on senior executives and directors to manage those obligations under tight timeframes. It will serve them well to be prepared before the breach.