The Australian Prudential Regulation Authority (APRA) is responsible for regulations in Australia’s financial bodies such as banks, insurance, and superannuation companies. As a result of the emerging amount of information on security incidents and cyber-attacks, APRA recently published a set of rules regarding information security handling- the CPS 234. Currently, APRA supervises institutions holding 6.5$ trillion in assets such as banks, credit unions, life insurance companies, building societies, health insurers, general insurers, and members of the superannuation industry. Moreover, because of the sensitive nature of the information held by these entities, APRA is fast-tracking the implementation of its new standard, the CPS 234, and requires compliance by the 1st of July 2019. Compliance instructions are deeply detailed in a guideline published by APRA, the CPG 234. In the CPG 234, you’ll find key points and actions that must be accomplished in order to achieve CPS 234 compliance.
Key points in the APRA CPS 234:
This regulation aims to ensure that an APRA regulated entity takes measures to make itself resilient against information security risks by maintaining an information security ability that suite information security threats. The key objective is to try to minimize the likelihood of impact on confidential information and assets that contain the information as much as possible, including those that are managed by related or third parties.
The Board of an APRA regulated organization is responsible for maintaining the organizations’ information security. The key requirements of this standard are that an APRA regulated organization must:
- Roles Definition- define information security-related roles of the Board, the senior management, governing bodies, and individuals.
- Maintain Security Capabilities- maintain information security abilities that commensurate with the assets’ threats size and the extent and enables sound operation of the entity.
- Implement Security Controls- implement security controls to protect information assets, respectively to their criticality and sensitivity. Undertake systematic testing to ensure the effectiveness of those controls.
- Incident Management- an entity must maintain plans to respond to information security incidents that the entity estimate that might occur. Those plans must include the mechanisms in place for:
*Managing all stages of an incident, from detection to post-incident review.
*Escalation and reporting of information security incidents to the Board and other responsible for this type of incident management.
Communication and responsiveness are the keys here. Therefore, those plans must be reviewed annually to ensure they remain effective.
- Testing Control Effectiveness- CPS 234 requires entities to test the effectiveness of their information security controls regularly by using a systematic testing program. Testing frequency must be commensurate with:
*Vulnerabilities and threats change rates.
*The criticality and sensitivity of the information asset.
*The possible consequences of information security occurs incident.
*The exposure to environments not regulated by APRA thereby implements different security policies.
*The materiality of the asset and the frequency of changes in the asset.
- Notify APRA- in any case of a security incident. No later than 72 hours if an information security breach occurs, regardless of the assets affected. No later than 10 business days, after learning of information security control weakness.
APRA CPS 234 particularly focus on third-party risk and notification on data breaches:
CPS 234 contains a directed intention to information assets managed by a related party or third-party entities. Here are some examples of the requirements with notifications regarding third-party entities:
- Related or third parties that hold APRA regulated entities’ assets must be assessed by APRA regarding their information security capabilities.
- Information security control must also protect assets managed by related or third parties.
- APRA regulated entity must evaluate the related or third party’s information security controls if their information assets are managed by this related or third party. In addition, the APRA regulated entity must make sure that the related or third party’s nature and frequency of testing of the controls comply with APRA CPS 234 requirements.
- APRA regulated entities’ audit must include the information security control provided by a related party of the third party.
The bottom line, related parties and third parties that manage APRA regulated entities’ information assets must have CPS 234 compliance. This must be implemented the earlier of the next renewal date of the contract with the third party or the 1st of July 2020.
With the release of CPS 234, a set of guidelines was also released by APRA- the CPG 234. The CPG 234 contains an accurate set of actions to be performed to achieve CPS 234 compliance. The CPG 234 will be discussed in future blog posts.