APRA finalises cyber security prudential standard

australian prudential regulation authority APRA cyber security policy and regulation information security data security Prudential Standard CPS 234 Information Security CPS 234 information assets Geoff Summerhayes australian financial services security breach

8 November 2018
| By Nicholas Grove |
expand image

The Australian Prudential Regulation Authority (APRA) has released the final version of its prudential standard focused on information security management.

APRA said the new Prudential Standard CPS 234 Information Security will shore up APRA-regulated entities’ resilience against information security incidents, including cyber-attacks, and their ability to respond swiftly and effectively in the event of a breach.

It said CPS 234 requires regulated entities to: clearly define information-security related roles and responsibilities; maintain an information security capability commensurate with the size and extent of threats to their information assets; implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and promptly notify APRA of material information security incidents.

APRA first released a discussion paper in March outlining the intended requirements of the new prudential standard. Following extensive consultation with industry, APRA this week published a Response to Submissions paper outlining the final form of the standard.

Industry was supportive of the intent and direction of CPS 234. However, APRA said it agreed to make several amendments, including clarifying requirements for information assets managed by third parties, and modifying the timeframes for notifying APRA of information security incidents and material information security control weaknesses.

APRA executive board member Geoff Summerhayes said cyber adversaries were targeting Australian financial services companies with growing frequency and sophistication.

“A significant information security breach at an APRA-regulated entity is almost certainly a question of when – not if. In a worst-case scenario, a major breach could even force a company out of business,” Summerhayes said.

“As a result, APRA is fast-tracking implementation of this standard, and expects all regulated entities to meet its requirements by 1 July next year.

“By introducing CPS 234, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face.”

Read more about:


Recommended for you

sub-bgsidebar subscription

Never miss the latest news and developments in wealth management industry



Get rid of the rest of the old guard to clean up the culture, then you might have a chance....

3 days 3 hours ago
Ray Mitchell

The previous directors and managers of both Dixon Advisory and the ultimate holding company Evans and Partners should be...

3 days 16 hours ago
Old Fella

Why would any Licensee invest in educating and training new advisers, when as soon as the handcuffs come off, they will ...

3 days 20 hours ago

Insignia Financial has unveiled a new operating model and executive team, including a new head of advice, while three senior executives are set to depart the licensee....

4 days 6 hours ago

ASIC has obtained interim orders from the Federal Court to freeze the assets of a registered managed fund and prevent its former director from leaving Australia. ...

3 weeks 4 days ago

The $280 billion Australian Retirement Trust is the first superannuation fund off the block to report its performance for the 2023-24 financial year....

2 weeks ago