Following an increase in the frequency of information security attacks, a new Australian Prudential Regulation Authority (APRA) Information Security Prudential Standard (CPS 234) is coming into effect on 1 July 2019.
The new standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.
A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.
Who does CPS 234 apply to?
CPS 234 applies to all APRA-regulated entities including authorised deposit-taking institutions (ADIs), foreign ADIs and non-operating holding companies.
It also applies to general insurers, life companies, and private health insurers. This includes non-operating holding companies that are authorised under the Insurance Act or Life Insurance Act.
When does CPS 234 become effective?
From 1 July 2019, under CPS 234, boards of entities regulated by APRA who manage their own information will be held accountable following security incidents.
For APRA-regulated entities whose information assets are managed by third parties, CPS 234 applies from 1 July 2020, or from the next renewal date of the contract if that is earlier.
What are you required to do?
- Clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals
- Maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity
- Implement information security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls
- Have robust mechanisms in place to detect and respond to information security incidents in a timely manner
- Notify APRA of material information security incidents.
APRA requires notification of both information security incidents (within 72 hours) and material internal controls weaknesses that may not be addressed in a timely manner (within 10 business days of identification).
Under CPS 234, it is required that an entities' internal audit function must include a review of the design and operating effectiveness of information security controls.
This includes those maintained by related parties and third parties, especially where:
- An information security incident affecting the information assets has the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers
- Internal audit intends to rely on the information security control assurance provided by the related party or third party.
It is a requirement that entities ensure that the information security control assurance is provided by personnel appropriately skilled in providing such assurance.
How We Can Assist
New technologies make yesterday's security and privacy solutions obsolete. And the list of possible bad outcomes in the battle to protect the integrity of your data is a long one. This is why organisations, and their Internal Audit functions, need to employ enterprise IT security services.
Through our IT security and privacy services, which are both integrated within our standard co-sourced/outsourced internal audit offerings, and available as a standalone solution, security and privacy specialists identify your organisation's highest strategic risks. After comprehensive assessments using proven techniques, we help you design or strengthen your system controls, and adapt your policies and procedures surrounding access, segregation of duties, monitoring procedures and more.
Our IT security services include:
For more information on how RSM can assist with CPS 234, please click here to contact your local RSM office.