INSIGHT

New APRA prudential standard raises bar for information security obligations and incident notification requirements

By Gavin Smith, Simun Soljo
APRA Banking & Finance Data & Privacy Financial Services Technology & Outsourcing Technology, Media & Telecommunications

In brief

As companies and regulators across the world grapple with ever-increasing cyber security threats, Australia's financial services regulator, APRA, has released the final form of a new prudential standard. It will require APRA-regulated entities to establish and maintain information security controls to protect customer data, and to notify APRA of information security incidents that have, or may have, a material effect on customers' interests. This will have significant implications both for regulated entities and for their boards of directors. Partners Gavin Smith and Simun Soljo and Lawyer James Higgins report.

How does it affect you?

  • The Prudential Standard CPS 234 – Information Security (CPS 234), which commences from 1 July 2019, will apply to all APRA-regulated entities, including ADIs, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities, and authorised or registered non-operating holding companies.
  • It will require regulated entities to regularly review and invest in effective information management practices. It will also introduce a new notification-to-APRA obligation, which will sit alongside the recently introduced notifiable data breach scheme enacted under the Privacy Act 1988 (Cth). This will have broader application than the Privacy Act scheme, because the new standard will apply to all information assets, not just personal information.
  • The new standard also sets out an express position that the board of a regulated entity is ultimately responsible for the maintenance of appropriate information security measures.
  • Following the consultation process on a discussion paper released in March, APRA has agreed to make several amendments. These include:
    • providing that where an entity's information assets are managed by a third party, the requirements will apply from the earlier of the next renewal date of the relevant service contract or 1 July 2020; and
    • modifying the timeframe for notifying APRA of information security incidents: from 24 hours after 'experiencing' an incident, to 72 hours after 'becoming aware of' an incident.
  • APRA-regulated entities will be subject to penalties for non-compliance with the new standard under the applicable legislation (depending on the type of entity involved).

Background

On 7 March 2018, APRA released a package of measures for industry consultation, titled 'Information Security Management: A new cross-industry prudential standard'. The release of that package followed two industry surveys by APRA in 2015/16 and 2017, which indicated that cyber attacks across those periods varied in nature, sophistication and impact.

Following a period of consultation, APRA has now released the final form of CPS 234. The standard is aimed at increasing financial safety and the overall stability of the financial system, while not compromising the operational efficiency of entities subject to the new regime.

APRA's Prudential Practice Guide CPG 234 Management of security risk in information and information technology, which was adopted in May 2013, will also be replaced following consultation, to reflect the final version of the new prudential standard.

New prudential standard

The new standard will apply to all 'APRA-regulated entities'. It will require an entity to:

  • establish an information security capability commensurate with the size and extent of threats to its information assets, and that enables the entity's continued sound operation;
  • maintain an information security policy, which allocates internal responsibility for information security;
  • classify information assets according to criticality and sensitivity;
  • maintain information security controls to protect its information assets (and evaluate the effectiveness of third party or related party information controls, where those parties manage the entity's information assets);
  • maintain robust mechanisms to detect and respond to information security incidents (being incidents where information security is compromised) in a timely manner, including annually reviewed plans for specific plausible incidents;
  • implement a systematic testing program of its information security controls; and
  • include in its audit activities a review of the design and operating effectiveness of information security controls (including those maintained by related parties and third parties).

These obligations are more specific than existing obligations under Australian Privacy Principle 11, but also extend more broadly to all information assets of a regulated entity, not just personal information.

Significantly, the prudential standard will also require an APRA-regulated entity to notify it as soon as possible (and, in any case, no later than 72 hours) after becoming aware of an information security incident that:

  • materially affected, or had the potential to material affect, financially or non-financially, the entity, or the interests of depositors, policyholders, beneficiaries, or other customers; or
  • has been notified to other regulators, whether in Australia or overseas.

This is a very short timeframe. In practice, it will require regulated entities to act extremely quickly to undertake assessments of the potential for a material effect on the interests of their customers or other individuals or entities. The 72-hour period is notably shorter than that under the Notifiable Data Breach Scheme in the Privacy Act, which allows up to 30 days for organisations to assess whether an eligible data breach has occurred.   

Importantly, the new standard also requires that an APRA-regulated entity must notify APRA as soon as possible, and no later than 10 business days, after identifying a material information security control weakness that it expects it will not be able to remediate in a timely manner. This will require a notification even where there has been no exploitation of the weakness. This is likely to be of concern to regulated entities, given the sensitivity and need to maintain secrecy over any potential vulnerabilities.

Of particular interest to directors of regulated entities is that the new standard makes it clear that the board of an APRA-regulated entity is ultimately responsible for ensuring that information security is maintained across the entity in a manner commensurate with the size and extent of threats to those assets. The prudential standard also provides that information security should be maintained in such a way as to enable the continued 'sound operation' of the entity. While these provisions are specific expressions of existing general director duties, boards will need to re-focus on the manner in which they obtain and monitor information about an entity's information security functions, and ensure that those functions are rigorously and regularly audited.

Implications

APRA's new prudential standard will require regulated entities to take a proactive approach to managing cyber security risks, commensurate with the nature of the information held by an entity and the scale of risk.

Prudential standards are legally binding. APRA is authorised to determine prudential standards under the relevant federal legislation that covers APRA-regulated entities, including the Banking Act 1959 (Cth) and Insurance Act 1973 (Cth). These laws impose penalties where a regulated entity breaches a standard and fails to notify APRA of the breach.

Next steps

  • The new standard CPS 234 will commence on 1 July 2019. Given this short implementation period, APRA-regulated entities should begin to consider what steps they need to take in order to comply with the new standard ahead of its commencement.
  • The standard includes transitional arrangements in relation to information assets that are managed by third party service providers. However, for those entities that rely heavily on external providers in this space, the process of reviewing and, if necessary, updating such arrangements may take some time.
  • APRA is working to prepare a new prudential practice guide on information security, to replace the Prudential Practice Guide CPG 234 Management of security risk in information and information technology. It is expected this new guide will be the subject of industry consultation in 2019.