Data Protection continues to be a subject of sweeping legal reforms and public concern, both in Australia and internationally. Last month, the Australian Prudential Regulation Authority (APRA) followed suit when it finalised its new prudential standard designed to shore up information security across the finance industry. The new standard, CPS 234, will come into effect July 1st, 2019, whereupon APRA-regulated entities will be held to strict and expansive information management obligations.

The need for a new standard

The ever-shifting cyber landscape demands that information security practices be continually refreshed. As noted by APRA executive board member Geoff Summerhayes; ‘Australian financial institutions are among the top targets of cybercriminals seeking money or customer data, and the threat is accelerating’.

Who will be affected by the new obligations

The prudential standards apply to APRA-regulated entities. This includes deposit-taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities and authorised or registered non-operating holding companies.

CPS 234 in a nutshell

The new standard requires that APRA-regulated entities;

  • Clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
  • Maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity;
  • Implement information security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls;
  • Have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and
  • Notify APRA of material information security incidents.

Challenges ahead

The new prudential standard will no doubt cause its share of teething problems. Notably, CPS 234 expressly places the ultimate responsibility for information security on the Board. Board members will, therefore, require an up-to-date and firm grasp of information security fundamentals.

Scans for security breaches will need to be swift and sensitive in order to comply with the notification periods- 72 hours from becoming aware of an information security incident, and 10 business days from becoming aware of a ‘material internal control weakness’. APRA will elucidate the meaning of an ‘internal control weakness’ in the coming months.

Take home

CPS 234 will likely require extensive gap-filling on the part of entities; both in implementing commensurate controls and in educating the board and staff of their security-related roles.

This article is for general interest purposes only and does not constitute legal advice. For tailored legal advice, contact Rankin Business Lawyers.