New cyber security requirements for financial services industry
To combat the rising threat of cyber-attacks and ensure entities have measures in place to maintain the integrity and security of sensitive client data, the Australia Prudential Regulation Authority (APRA) has released the new Prudential Standard CPS 234 information security. The standards are in place to ensure organisations within the financial services sector develops resilience against cyber security incidents, making certain they can respond swiftly and effectively in the event of an information security breach. The Prudential Standard CPS 234 sets out a strict and comprehensive series of requirements that entities should meet to protect themselves against information security threats. It is critical that all Australian regulated entities familiarise themselves with the requirements of CPS 234 to ensure they are compliant when the standard comes into effect on July 1, 2019.
The APRA Prudential Standards CPS234 is a Board responsibility. It requires information security related roles to be clearly defined, policy framework and plans to be in place and regularly tested.
Entities must notify APRA of breaches to their information security within 3 days. This includes information managed for regulated entities by third parties.
Entities have until 1 July 2019 to comply with these new standards.
Who does CPS 234 apply to?
CPS 234 applies to all APRA-regulated entities. These include:
- Banks (authorised deposit-taking institutions (ADIs) including foreign ADI’s authorised under the banking act;
- General insurers;
- Life insurers;
- Health Insurers.
What are the requirements of CPS 234?
CPS 234 required APRA-regulated entities to:
Roles and responsibilities
- The Board is ultimately responsible for the information security of the entity
- The entity must have clearly defined information-security related roles and responsibilities, covering roles of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.
Information Security Capability
- The entity must maintain an information security capability commensurate to the size and extent of potential threats to its information assets.
- Entities need to ensure third parties managing their assets also have the security capability to manage these threats.
- The entity must actively manage its information security capability with respects to changes in vulnerabilities and threats resulting from changes to information assets or its business environment.
- The entity must have policy frameworks in place.
- The framework must provide direction on the roles of all parties responsible for maintaining information security.
Implementation of controls
- The entity must have information security controls to protect its information assets, including those managed by third parties.
- Regularly test and exercise these controls (Minimum annual testing).
- Update controls if deficiencies are identified during testing.
- The entity must maintain plans to respond to information security incidents.
- Response plans must include mechanisms for managing all relevant stages of an incident from detection to post-incident review
- Plans must be tested annually and reviewed to ensure it is still for for purpose
- The entity must notify APRA of an information security incidents no later than 72 hours after becoming aware of an incident.
- The entity must notify APRA no later than 10 business days if a weakness within the security control is detected, which the entity expects it will not be able to re-mediate in a timely manner.
RiskLogic has expanded services to include Cyber Consulting to help entities strengthen their cyber security controls and comply with the new standards by 1 July 2019. For further discussions, book a consultation today.