APRA releases updated guidance on information security

The Australian Prudential Regulation Authority (APRA) has released updated prudential guidance to assist all APRA-regulated entities to embed and comply with the requirements of APRA’s new cross-industry prudential standard, CPS 234 Information Security, which comes into force on July 01.

The prudential regulator also published a letter to industry in response to submissions on the draft CPG 234 released for consultation in March. In the letter, APRA reminded firms to maintain appropriate oversight of all third parties that manage information security on their behalf, including entities subject to existing regulatory oversight and service providers engaged by third party entities.

Read more:  Chubb looks at cyber risk landscape in new report

“Cyber-adversaries are targeting Australia’s banks, insurers, and superannuation licensees with growing frequency and sophistication,” said Geoff Summerhayes, APRA executive board member.

“The new standard and accompanying prudential practice guide will reinforce the industry’s ability to withstand these information security threats and respond effectively when breaches occur. It is only a matter of time until an Australian financial institution suffers a material-information security breach of the kind we’ve seen overseas, so they must be prepared. Although many institutions are well advanced, we recognise that the new requirements materially raise the bar across the entire industry and will take time to be fully effective. We expect to see continuous improvement. If an entity assesses that it may not be able to fully comply with the new standard from July 01, it should immediately advise its APRA supervisor.”