With the frequency and seriousness of data breaches continuing to set new records each year in Australia and across the world, Australian regulators have begun laying down the law when it comes to data management, cyber resilience and information security practices.
The Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 Information Security, which commenced on July 1 2019, carries the force of law and establishes a host of information security requirements for authorised deposit-taking institutions such as banks and insurance providers (APRA entities). It signals APRA's increasing scrutiny of the way financial institutions manage and protect the data they hold.
However, those organisations that 'manage' the 'information assets' of APRA entities-including providers of cloud based services, IT infrastructure providers, IT implementation and support providers, data hosters and managers and so on-are also impacted by CPS 234, and need to understand their obligations in full.
Below is a snapshot of what we've learned about CPS 234 in practice to date.
Key requirements under CPS 234
CPS 234 establishes various security requirements in respect of an APRA entity's 'information assets'-essentially any form of information technology, including software, hardware and data. This term is defined in much broader terms than 'personal data' or 'personal information' (which is used in privacy and data protection laws and only applies to natural persons). Information assets are not subject to a materiality limitation, therefore APRA entities must ensure that any steps taken to comply with CPS 234 account for all the different forms of information assets relating to their business.
The core requirements under CPS 234 fall into two distinct categories. Under the first set of requirements, APRA entities must establish the following information security practices:
Information security capability. The APRA entity must actively maintain an information security capability which enables the continued sound operation of the ADI.
Implementation of controls. The APRA entity must establish information security controls to protect the ADI's information assets across their life-cycle.
Testing control effectiveness. The APRA entity must establish systemic testing programs which are able to test the effectiveness of its information security controls.
Incident management. The APRA entity must establish robust mechanisms and plans to detect and respond to information security incidents that could plausibly occur.
Internal audit. The APRA entity must ensure that their internal audit activities include a review of the design and operating effectiveness of information security controls.