A draft standard released by the Australian Prudential Regulation Authority as part of a public consultation will impose a range of cyber security related obligations on APRA-regulated organisations such as banks.
Under the draft standard, CPS 234, an APRA-regulated entity will be obliged to spell out the information security related roles and responsibilities of its board as well as “senior management, governing bodies and individuals”.
An organisation will have to “maintain information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity” and implement and systematically test appropriate security controls.
Financial services organisations will also have to report “material” information security incidents to the regulator.
“All APRA-regulated entities ... must operate on the basis that information security attacks are and will continue to remain a significant threat,” states a discussion paper released alongside the draft.
“Accordingly, the management of information security should be based on the expectation that significant cyber security incidents will be experienced. While to date, no entity has suffered material losses from an information security incident, and security controls have protected against past attacks, APRA strongly believes that past experience is not grounds for complacency.”
"Australian financial institutions are among the top targets of cyber criminals seeking money or customer data, and the threat is accelerating," APRA executive board member Geoff Summerhayes said.
“In a worst-case scenario, a cyber attack could even force a company out of business,” Summerhayes said.
“Cyber security is generally well-handled across the financial sector, but with criminals constantly refining and expanding their tools and capabilities, complacency is not an option,” he added.
APRA is accepting submissions on the proposal until 7 June. At this stage the regulator says it expects to implement the new standard from 1 July next year.