The Prudential Standard CPS 234 Information Security, requires APRA-regulated entities to:
- clearly define information-security related roles and responsibilities
- maintain an information security capability suitable for the size and extent of threats to the entity’s information assets
- implement controls to protect information assets and regularly test these methods.
Under this standard, institutions must also notify APRA of material information security incidents within 72 hours, after becoming aware of an information security incident that materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers.