The content of a recently released Australian Prudential Regulation Authority (APRA) CPS Standard (Standard) which will apply from 1 July 2019 broadens the obligations of APRA-regulated entities beyond other cybersecurity obligations, including relevant provisions in the Privacy Act 1988 (Cth).
The Standard requires APRA-regulated entities to notify APRA as soon as possible, and in any case, no later than 72 hours after becoming aware of an information security incident that materially affected, or had the potential to materially affect the entity or the interests of depositors, policy holders, beneficiaries or other customers, or has been notified to other regulators (either in Australia or overseas). An information security incident can be interpreted quite broadly, as an actual or potential compromise of information security (whether by loss of confidentiality, integrity or availability of information assets).
Whereas the usual breach notification requirements in the Privacy Act take into account whether a data breach has been remediated, (in such cases it would not need to be notified), the obligation in the Standard is much broader, and requires notification of potentially material incidents. By mandating a maximum timeframe of 72 hours, the obligation to notify also becomes time-critical. The Privacy Act requires an organisation to notify of a confirmed data breach as soon as possible, but, in contrast, stipulates that where there is only a suspicion of a breach, an assessment must be conducted within 30 days. The Privacy Act is also limited to unauthorised access or loss of personal information, whereas the Standard extends to any information security incident (where for example the data at risk may be anonymised financial data or data that, if compromised may affect the entity, regardless of whether an individual is affected).
APRA-regulated entities should look to update their information security policies and processes to accommodate the coming changes and to ensure compliance within their own organisations, and by their service providers.
The Standard also contains principles-based obligations regarding the responsibility of an organisation’s board for information security, the importance of maintaining information security capabilities and policy frameworks proportionate and relevant to the size and extent of threats it faces. Further, it also provides that APRA-regulated entities have the requirements to assess capabilities of third party providers, to classify information assets, implement various information security controls, audits and testing, and have mechanisms for incident management and response plans.