subscribe to our newsletter

APRA finalises information security standard for ADIs

Information security at APRA-regulated entities are “ultimately” the responsibility of boards, according to the final infosec standard issued by the prudential regulator.

The Australian Prudential Regulation Authority (APRA) has published the final version of its cross-industry prudential standard, CPS 234, focused on the management of information security at regulated entities, the creation of which was prompted by the “accelerating threat of cyber attacks”.

The infosec standard requires authorised deposit-taking institutions (ADIs), and other regulated entities, to:

  • “clearly define” information security-related roles and responsibilities;
  • “maintain an information security capability commensurate with the size and extent of threats to their information assets”;
  • implement controls and regularly test their effectiveness to protect assets (including those managed by related and third parties) from new threats;
  • have “robust mechanisms” in place to detect and respond to information security breaches in a timely manner; and
  • notify APRA of information security incidents (that had a material impact or could have an impact on the entity or the interests of depositors, policyholders, beneficiaries or other customers) within 72 hours of becoming aware of them.

APRA’s finalised standard, which comes into effect on 1 July 2019, stipulates that company boards are “ultimately responsible for ensuring that the entity maintains its information security”.

It also outlines that where information assets are stored and managed by a related or third party, the regulated entity is responsible for assessing the infosec capabilities of that party “commensurate with the potential consequences of an information security incident affecting those assets”.

The regulator’s executive board member, Geoff Summerhayes, said that Australian financial services providers are being targeted by hackers “with growing frequency and sophistication”, and so infosec breaches are a matter of “when not if”.

“In a worst-case scenario, a major breach could even force a company out of business. As a result, APRA is fast-tracking implementation of this standard and expects all regulated entities to meet its requirements by 1 July next year,” Mr Summerhayes added.

“By introducing CPS 234, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold and the significance of the threats they face.”

The prudential regulator said that it is updating its Prudential Practice Guide CPG 234 Management of Information and Information Technology to help entities fulfil their requirements.

Earlier this week, the government announced that it would inject an additional $58.7 million over two years to “strengthen” APRA’s enforcement powers after the regulator was criticised in the royal commission’s interim report for rarely taking wrongdoers to court.

Wayne Byres’ chairmanship was also extended for another five years for the sake of “stability” at a time when a number of initiatives and interventions are underway to address housing market challenges and improve accountability at financial institutions.

Mr Byres had in September placed pressure on the major banks to upgrade their anachronistic IT systems, warning that such systems might not be compatible with new prudential requirements.

APRA’s technology risk team reviewed 90 per cent of the banking industry by assets, according to the chair, and found that in many instances, the banks’ core systems had reached end-of-life or end-of-support “without funded remediation plans in place”.

The chair had also noted at the time that the growing trend of outsourcing and partnering with technology providers will result in greater use of cloud-based systems, meaning that “the prudential supervisors’ ability to ‘kick the tyres’ will be much harder in [the] future without new tools and methods”.

“Like everyone in the industry, APRA recognises change is coming. But sadly, our crystal ball is as cloudy as everyone else’s,” Mr Byres said.

[Related: Banks’ IT systems might not be fit for CCR: APRA]

APRA finalises information security standard for ADIs

Tas Bindi

Tas Bindi is the features editor on the mortgage titles and writes about the mortgage industry, macroeconomics, fintech, financial regulation, and market trends.  

Prior to joining Momentum Media, Tas wrote for business and technology titles such as ZDNet, TechRepublic, Startup Daily, and Dynamic Business. 

You can email Tas on: This email address is being protected from spambots. You need JavaScript enabled to view it.



Latest News

Fintech lender Athena Home Loans has launched a new mortgage product that automatically drops variable rates for borrowers with P&I repa...

ASIC has disclosed the preliminary litigation costs linked to its responsible lending case against Westpac. ...

Housing tax incentives and monetary and prudential policy settings have curtailed efforts to “arrest the slide” in social and affordable...


LATEST PODCAST: Sharp lending recovery expected to be short-lived

Do you expect to see strong uptake of the HomeBuilder scheme?

Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.