The boards of banks and other entities regulated by the Australian Prudential Regulation Authority are ultimately responsible for an organisation’s information security, states a new standard released today by APRA.
The new information security prudential standard applies to authorised deposit-taking institutions such as banks as well as insurers and private health insurers, and so-called life companies (such as friendly societies).
An organisation’s board “must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity,” states the standard.
The standard also requires that the information security roles and responsibilities of the board, senior management and governing bodies and individuals with responsibility for infosec decision-making, oversight and operations be clearly defined.
The standard also formally obliges organisations to notify APRA of serious security incidents.
Within 72 hours of a security incident, a regulated entity must notify ARPA if the incident “materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers” or if other regulators have been notified of the incident,
The standard requires regular testing and auditing of information security controls.
The new standard — CPS 234 — will commence on 1 July 2019.
APRA in March launched a consultation on the proposed standard. In a paper accompanying the release of CPS 234, the regulator said that although the submissions it received were “generally supportive of the intent and direction of APRA’s information security proposals,” a number of concerns were raised “including the practical application of the proposals where information assets are managed by third parties, and issues around the timing of implementation of the standard and notification requirements.”
The final standard imposes obligations on organisations that rely on third party service providers, including that they must assess whether the nature and frequency of testing of information security controls meet the standards outlined in CPS 234.
The full standard is available from APRA's website.
In September, APRA released its first information paper on the use of cloud computing.