In response to the increasing frequency, sophistication and impact of information security attacks, in March 2018, APRA released draft Prudential Standard CPS 234 on Information Security. The proposed standard will require regulated entities to ensure they have effective security controls in place to protect against and respond to such attacks.
Australian regulated entities impacted by the proposed new standard are banks, building societies credit unions, life and general insurance and reinsurance companies, private health insurers, friendly societies and superannuation funds (excluding self-managed funds). The standard broadly covers the following areas that regulated entities will need to address:
- Information security roles and responsibilities
- Information security capability and policy framework
- Information assets and controls, including incident management
- Controls testing and internal audit
- APRA notifications
The consultation period closed in June 2018, and it is expected that the final version of the standard will be released in late 2018. The proposed effective date for the new standard is 1 July 2019.
In preparation, regulated entities will need to assess their current information security control environment, identify any gaps, and develop and execute action plans to address any shortfalls. With its broad scope of security services, Alcorn Group can assist organisations with performing these assessments, as well as provide ongoing support for meeting the new requirements beyond the proposed effective date.