APRA proposes cross-industry framework for management of information security

In brief

APRA has released for consultation its first prudential standard of information security, Prudential Standard CPS 234 Information Security (CPS 234). The standard is a response to the growing threat of cyber attacks, and its key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of information assets, including information assets managed by related parties or third parties.

Key takeaways

The key requirements of CPS 234 are as follows:

• Responsibility for infosec The board of a regulated entity is ultimately responsible for information security, to reflect the 'need to close an observed gap in board engagement on information security'. The roles of various personnel regarding information security must also be clearly defined. The growing significance of information security is also likely to be increasingly important for boards when assessing whether they have the collective skills and knowledge to manage the entity's affairs.
• Proportionate capability and framework Regulated entities will need to establish an 'information security capability' that is commensurate with the size and extent of threats, and that enables the continued sound operation of the entity. Information security capability refers to the 'resources, skillset, and controls necessary to maintain information security'.¹ Regulated entities will also be required to maintain an information security policy framework, proportionate to their exposure to vulnerabilities and threats. Most APRA-regulated entities would already have significant capability and formal frameworks for managing information security risks, but the prudential standards will formally require this.
• Classification of information assets Regulated entities will be required to classify their information assets by criticality and sensitivity, and implement adequate information security controls over those assets. This requirement will apply irrespective of whether the information asset is managed by a related or third party. CPG 234 provides guidance on the consideration of criticality and sensitivity of information assets.
• Testing Regulated entities will need to test the effectiveness of their information security controls through a systematic testing program. CPS 234 does not stipulate timeframes for testing, but it notes that the frequency should be proportionate to the nature of the threats, the nature of the information assets, and the consequence of an information security incident.
• Notification to APRA Regulated entities will need to notify APRA of a material information security incident within 24 hours. Where a regulated entity identifies a 'material information security control weakness', it will need to notify APRA as soon as possible, but no later than five business days. Where a regulated entity is required to notify APRA of information security incidents under more than one prudential standard, the entity would only be required to provide one notification to APRA.² Regulated entities that are also Australian financial services licensees will need to consider how the reporting obligation under the prudential standard will interact with their obligation as licensees to report significant breaches under section 912D of the Corporations Act 2001 (Cth). An information security incident reported to APRA may also involve a breach of the entity's obligations as licensee.

Background

CPS 234 forms part of a broader APRA project to update the prudential framework regarding the qualitative management of operational risks across all APRA-regulated entities.

Cyber risks, in particular, have been on APRA's agenda for some time. APRA conducted its second survey of cyber awareness and risk management among its regulated institutions in June 2017.⁴ The 2017 survey was designed to assess the nature of cyber incidents over the most recent 12-month period, and gauge the extent of change since the 2016 survey. The findings from the 2017 survey reiterate the need for continued vigilance in cyber security among APRA-regulated institutions.

In his address to the Insurance Council of Australia's Annual Forum in Sydney on 7 March 2018, Geoff Summerhayes, Executive Board Member of APRA, addressed the growing potential threat to Australian financial institutions posed by cyber risk.⁵ He said that while APRA is broadly satisfied with the industry's approach to cyber security to date, there is 'no room for complacency'.

Although no APRA-regulated entity (an entity) has, to date, suffered a material loss due to a cyber attack, the survey results, combined with intelligence from APRA's supervisory activities, confirm that all institutions must operate on the basis that cyber attacks remain a significant threat.

The introduction of CPS 234, following consultation with industry bodies throughout 2017, reflects the need to establish minimum standards across all industries. APRA states the proposals in CPS 234 reflect:

• the need to address a clear gap in APRA's prudential framework and outline minimum requirements for the management of information security across an entity;
• that an entity's exposure to the risk of information security incidents exists across its extended business environment, including information and information technology managed by third-party providers (eg cloud providers);
• the rapidly evolving nature of information security threats and vulnerabilities; and
• that cyber security surveys conducted by APRA, and other supervisory activities, have revealed weaknesses in industry's information security management practices'.⁶

Current framework

Until now, APRA has addressed the management of information security in two key ways.

• It introduced the Prudential Practice Guide CPG 234 – Management of Security Risk in Information and Information Technology (CPG 234) in May 2013. CPG 234 was intended to assist regulated institutions by setting out APRA's guidance on sound practices in relation to areas APRA had identified, through its supervision of regulated entities, as areas of IT security risk management weaknesses. A Prudential Practice Guide provides only guidance and does not create any enforceable requirements. CPS 234 has elevated key principles from CPG 234 to enforceable obligations. APRA will update the guidance in CPG 234 to reflect the final version of CPS 234.
• It issued Prudential Standard CPS 220 Risk Management and Prudential Standard SPS 220 Risk Management (CPS/SPS 220) in July 2017 and October 2014 respectively. These prudential standards impose risk-management obligations on APRA-regulated entities. They do not impose specific risk-management obligations in relation to information security risks, other than to require that risk-management functions have access to all aspects of the institution that have the potential to generate material risk, including information technology systems and systems development resources. They also impose general risk management obligations on regulated entities, which would encompass information security risks. Although CPS 234 doesn't expressly refer to CPS/SPS 220, it is designed to complement, and become part of, the broader risk management framework, and elevate the importance of information security risks to ensure they 'have the same visibility as other risks contained in an entity's Risk Management Framework'.⁷