APRA finalises information security standard for ADIs

The Australian Prudential Regulation Authority (APRA) has published the final version of its cross-industry prudential standard, CPS 234, focused on the management of information security at regulated entities, the creation of which was prompted by the “accelerating threat of cyber attacks”.

The infosec standard requires authorised deposit-taking institutions (ADIs), and other regulated entities, to:

• “clearly define” information security-related roles and responsibilities;
• “maintain an information security capability commensurate with the size and extent of threats to their information assets”;
• implement controls and regularly test their effectiveness to protect assets (including those managed by related and third parties) from new threats;
• have “robust mechanisms” in place to detect and respond to information security breaches in a timely manner; and
• notify APRA of information security incidents (that had a material impact or could have an impact on the entity or the interests of depositors, policyholders, beneficiaries or other customers) within 72 hours of becoming aware of them.

APRA’s finalised standard, which comes into effect on 1 July 2019, stipulates that company boards are “ultimately responsible for ensuring that the entity maintains its information security”.

It also outlines that where information assets are stored and managed by a related or third party, the regulated entity is responsible for assessing the infosec capabilities of that party “commensurate with the potential consequences of an information security incident affecting those assets”.

The regulator’s executive board member, Geoff Summerhayes, said that Australian financial services providers are being targeted by hackers “with growing frequency and sophistication”, and so infosec breaches are a matter of “when not if”.

“In a worst-case scenario, a major breach could even force a company out of business. As a result, APRA is fast-tracking implementation of this standard and expects all regulated entities to meet its requirements by 1 July next year,” Mr Summerhayes added.

“By introducing CPS 234, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold and the significance of the threats they face.”

The prudential regulator said that it is updating its Prudential Practice Guide CPG 234 Management of Information and Information Technology to help entities fulfil their requirements.

Earlier this week, the government announced that it would inject an additional $58.7 million over two years to “strengthen” APRA’s enforcement powers after the regulator was criticised in the royal commission’s interim report for rarely taking wrongdoers to court.

Wayne Byres’ chairmanship was also extended for another five years for the sake of “stability” at a time when a number of initiatives and interventions are underway to address housing market challenges and improve accountability at financial institutions.

Mr Byres had in September placed pressure on the major banks to upgrade their anachronistic IT systems, warning that such systems might not be compatible with new prudential requirements.

APRA’s technology risk team reviewed 90 per cent of the banking industry by assets, according to the chair, and found that in many instances, the banks’ core systems had reached end-of-life or end-of-support “without funded remediation plans in place”.

The chair had also noted at the time that the growing trend of outsourcing and partnering with technology providers will result in greater use of cloud-based systems, meaning that “the prudential supervisors’ ability to ‘kick the tyres’ will be much harder in [the] future without new tools and methods”.

“Like everyone in the industry, APRA recognises change is coming. But sadly, our crystal ball is as cloudy as everyone else’s,” Mr Byres said.

[Related: Banks’ IT systems might not be fit for CCR: APRA]