With the Medibank breach intensifying concerns around identification and transaction fraud, the Australian Prudential Regulation Authority (APRA) has issued some reminders for its regulated entities.
In a statement, APRA advised the regulated community to ensure that information security controls are in place and operating to safeguard the entity, along with the Prudential Standard CPS234 Information Security's requirements and obligations. APRA-regulated entities must:
- Clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies, and individuals;
- Maintain an information security capability commensurate with the size and extent of threats to its information assets, which enables the continued sound operation of the entity;
- Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets and undertake systematic testing and assurance regarding the effectiveness of those controls; and
- Notify APRA of material information security incidents.
Additionally, APRA-regulated entities must communicate with their customers to raise awareness and direct them to reputable sources such as ACSC, Moneysmart, and the Office of the Australian Information Commissioner, outlining additional steps customers can take to limit fraud risk.
Read more: Medibank says personal data was stolen
On October 13, private health insurance provider Medibank reported a cyberattack resulting in a data breach. It removed access to a few customer-facing systems after detecting “unusual activity” on its network.
The insurer eventually restored its policy systems, but warned customers to expect temporary disruptions. However, last week, a new statement released to the ASX said a cyber criminal claimed to have stolen 200 gigabytes (GB) of data from the insurer.
APRA is working with other government agencies and regulators in response to the cyber incident. It has also issued a discussion paper and seeks feedback to strengthen the management of operational risk in financial services.
“These circumstances serve as a reminder that cyber activity continues to escalate. Regulated entities are urged to review incident response plans and to ensure the regular testing of these plans. Senior management and board must be in a position to respond and mitigate harm,” APRA said in a statement.