Financial services in Australia are now subject to increased cyber-security and information security regulation.

Effective 1 July 2019, APRA-regulated entities must ensure their information security capabilities comply with a new prudential standard issued by the Australian Prudential Regulatory Authority (APRA), CPS 234. These enhanced information security obligations seek to ensure the continued sound operation of entities holding sensitive information despite the rise and variety of information security threats, vulnerabilities and incidents. Notifications of material information incidents must be provided to APRA within 72 hours.

Who must comply?

CPS 234 applies to APRA-regulated entities. This sweepingly broad category includes authorised deposit-taking institutions (banks, credit unions, building societies), general insurers, life companies including eligible foreign life insurance companies, private health insurers and registrable superannuation entity licensees (superannuation funds). Entities using third party information-security service providers have a further period of up to 12 months to comply.

What is required?

CPS 234 requires entities to ‘maintain information security in a manner commensurate with the size and extent of threats to information assets’. It essentially requires an uplift in security capability to detect and manage ever-changing security risks to certain information. Current and emerging threats are widely acknowledged to relate to payments and card fraud, geo-positional hacking, mobile app weaknesses, attacks on supply chains and critical infrastructure. CPS 234 sets out steps to take (summarised below).

How far-reaching is the regulation?

CPS 234 has broad application. It applies to the 'information assets' of APRA-regulated entities. Information assets are defined widely to include information and information technology, including hardware, software and data in hard or soft copy. It also applies to all activities undertaken by the organisation not just material or core business activities.

Are there additional reporting obligations?

CPS 234 introduces specific, time-sensitive reporting obligations in relation to compromised or vulnerable information security:

  • material information incidents must be notified to APRA within 72 hours of an entity becoming aware of an incident. Reportable incidents are those that materially affected or had the potential to materially affect, financially or non-financially, the entity, or the interests of depositors, policy-holders, beneficiaries or other customers, or which has been notified to other regulators in Australia (such as the OAIC for notifiable privacy breaches) or other jurisdictions (such as the ICO under the GDPR)
  • material information security control weaknesses must be reported no later than 10 business days of an entity becoming aware of the issue. Reportable incidents are those which an entity expects it will not be able to remediate in a timely manner.

Who is ultimately responsible?

Failures to comply with CPS 234 will rest with the Board. To satisfy their obligations, Boards will need to ensure there are effective controls, security governance, skilled personnel and information security frameworks to minimise the impact of information security incidents on the confidentiality, integrity and availability of information.

What does it mean for the financial services industry and data-driven businesses generally?

CPS 234 is an example of the ever-increasing regulation of data and the attempts to combat cyber threats and information security vulnerabilities generally. CPS 234 requires a pro-active rather than reactive approach to security and extends to vast quantities of information (in soft or hard copy), as well as to information technology itself. In this context, classification of all information and the environments within which it exists, is fundamental to complying with a standard that changes depending the ‘size and extent’ of the threat. In addition, CPS 234 is an example of the growing number of potential notifications to regulators based on compromised or threatened data. With these developments, there has never been a greater need for mature data governance frameworks within all organisations.

Next steps?

APRA-regulated entities should review their information security-related roles, teams, policies and processes to determine the required uplift to meet CPS 234 and ensure on-going compliance. This will involve:

  • defining the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals empowered to decide, approve, oversee, operate and perform other information security functions
  • maintaining an information security capability commensurate with the size and extent of threats to information assets
  • ensuring third party or related party management of information assets have equivalent information security capability as the APRA-regulated entity by evaluating the design of that party’s controls that protect the information assets
  • having an information security policy framework and accountability and reporting measures within the organisation commensurate the entity’s exposures to vulnerabilities and threats
  • implementing information asset and identification classification systems that reflect the degree to which an information security incident on a particular information asset has the potential to affect the financial or non-financial interests of the entity or the interests of depositors, policyholders, beneficiaries or other customers
  • ensuring assurance practices continually monitor and adapt to the threat environment
  • instituting of robust security incident detection and response plans for all incidents and notifications to APRA of material information incidents
  • auditing of the design and effectiveness of information security controls.