Australian Prudential Regulation Authority (APRA) issued Prudential Standard CPS 234 Information Security (CPS 234) on 7 November 2018. CPS 234 imposes information security requirements on all APRA-regulated entities and will commence on 1 July 2019, providing transition arrangements where information assets are managed by third parties. It is crucial for all APRA-regulated entities to understand the requirements in place for the management of information security.
For some time, APRA has been working towards the issue of a Prudential Standard that responds to the growing threat of cyber attacks. In March 2018, APRA released a package of measures for consultation with the intention of lifting standards in relation to information security including assurance over the cyber capabilities of third parties such as service providers, and enhancing entities’ ability to respond to and recover from cyber incidents. The consultation process has led to the issue of CPS 234 on 7 November 2018.
What is CPS 234?
CPS 234 is a cross-industry prudential standard for the management of information security. CPS 234 sets out a range of information security requirements designed to ensure that APRA-regulated entities clearly define information-security related roles and responsibilities, including by;
- maintaining an information security capability commensurate with the size and extent of threats to their information assets;
- implementing controls to protect information assets and undertaking regular testing and assurance of the effectiveness of controls; and
- promptly notifying APRA of material information security incidents.
The Standard has broad reach, as it applies to all ‘information assets’ of APRA-regulated entities, which is defined to include information and information technology, including software, hardware and data (both soft and hard copy).
Who does CPS 234 apply to?
CPS 234 applies to all APRA-regulated entities including authorised deposit-taking institutions, general insurers, life companies, private health insurers and RSE licensees under the Superannuation Industry (Supervision) Act 1993. Whilst only these regulated entities must comply with the Standard, the requirements of the Standard apply to all ‘information assets’ of the regulated entity, whether managed by the entity itself or by third parties and related entities.
When does CPS 234 commence?
CPS 234 will commence on 1 July 2019. However, where an APRA-regulated entity’s information assets are managed by a third party, CPS 234 will commence from the earlier of the next renewal date of the contract with the third party or 1 July 2020. This transition period will afford APRA-regulated entities the time required to develop contractual terms and protocols with service providers and other vendors so the entities can comply with the requirements of the Standard.
How to comply with CPS 234
The centrepiece of CPS 234 is the requirement on APRA-regulated entities to implement a framework which classifies information assets by criticality (the potential impact of a loss of availability) and sensitivity (the potential impact of a loss of confidentiality or integrity). This is essentially a risk assessment of the effect that a loss of availability or integrity of the information assets would have on the entity. The Board of an APRA-regulated entity is then responsible for ensuring that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets.
This requires the Board to:
- clearly define the information-security related roles and responsibilities of the Board, senior management, governing bodies and individuals.
- assess the information security capability of related parties or third parties, where those parties manage the entity’s information assets.
- evaluate the design and operating effectiveness of information security controls used by related parties and third parties, where those parties manage the entity’s information assets.
- have mechanisms in place in their security response plans that will detect and manage information security incidents. The security response plans must also be reviewed annually to ensure they remain effective and fit-for-purpose.
- test the effectiveness of their information security controls through a systematic testing program, including testing of security controls of related parties or third parties who manage the entity’s information assets, including escalation and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.
The internal audit function of the APRA-regulated entity is required to review the design and operating effectiveness of information controls, including those maintained by related parties and third parties.
The Standard contains quite onerous breach reporting obligations. APRA-regulated entities must notify APRA within 72 hours of experiencing an information security incident that ‘materially affects, or has the potential to materially affect’, the entity or the interests of depositors, policyholders or other customers, or that has been notified to other regulators in Australia or overseas. They must also notify APRA within 10 business days after becoming aware of a material information security control weakness that the entity expects not to be able to remediate in a timely manner.
The Standard is not as prescriptive as some other APRA standards in terms of the contractual obligations that regulated entities must have in place with third parties in relation to information assets. However, given the Standard requires an assessment to be conducted of the effectiveness of the controls those third parties have in place for the security of the information assets, there will need to be some level of oversight and audit by the regulated entity of its IT providers. In our experience, this has caused significant difficulty for Australian institutions dealing with large multinational technology infrastructure providers, as they are generally reluctant to agree to the level of access, disclosure, auditing and testing rights that the Australian regulated entity requires to satisfy its obligations under the Standard.
The notification requirements on APRA-regulated entities under CPS 234 are also likely to cause some difficulty as they will need to form a view about what information security incidents have material affected, or had the potential to materially affect, the entity or its customers. The use of the term ‘material’ rather than ‘significant’ (as has been used for other reporting requirements to ASIC and APRA) suggests that the bar has been set lower for the reporting of information security incidents to APRA.
APRA regulated entities will also need to consider whether agreements with relevant outsourced IT providers include sufficient provisions to ensure that the regulated entity can comply with the APRA notification requirements for information security incidents (including the obligation to notify within 72 hours).
There will also be significant overlap between the obligations imposed under CPS 234 and other legislation which deals with data privacy or customer data, including the recently introduced notifiable data breach scheme under the Privacy Act 1988 (Cth) and the potential new consumer data right regime (which is covered by the recently introduced Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Cth)).