To help businesses and organisations better protect themselves, and respond quickly and effectively if a cyber attack occurs, a new standard for information security management has been released by the Australian Prudential Regulation Authority (APRA).
The new Prudential Standard CPS 234 Information Security is intended to shore up APRA-regulated entities’ resilience against information security incidents, including cyber-attacks, and their ability to respond swiftly and effectively in the event of a breach.
The new standard will apply to all authorised deposit-taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities and authorised non-operating holding companies. APRA supervises institutions holding $6.5 trillion in assets for Australian depositors, policyholders and superannuation fund members.
CPS 234 requires APRA-regulated entities to:
- clearly define information-security related roles and responsibilities
- maintain an information security capability suitable for the size and extent of threats to the entity’s information assets
- implement controls to protect information assets and regularly test these methods.
Under the new standard, institutions must also notify APRA of material information security incidents within 72 hours, after becoming aware of an information security incident that:
- materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or
- has been notified to other agencies, either in Australia, such as the Australian Cyber Security Centre (ACSC), or overseas.
Cyber criminals are targeting Australian financial services companies with growing frequency and sophistication, so APRA is fast-tracking implementation of this standard, and expects all regulated entities to meet its requirements by 1 July next year.
More information about the new prudential standard can be found on the APRA website.