APRA has released the final version of Prudential Standard CPS 234 on Information Security. This follows a period of industry consultation and responses to submissions on the draft standard released back in March 2018
In response to submissions received, APRA has confirmed:
- The new standard will come into effect from 1 July 2019. A transition period for third party arrangements has been allowed whereby requirements will apply from the earlier of the next contract renewal date or 1 July 2020.
- All information assets of regulated entities must be classified in terms of both criticality and sensitivity. This requirement is irrespective of whether information assets are managed by the regulated entity or a third or related party.
- Regardless of whether a third party is in a direct or indirect (downstream) relationship with a regulated entity, and whether the information assets under management form part of a material business activity outsourcing, information assets must be managed in accordance with the new standard.
- Regulated entities must notify APRA within 72 hours of becoming aware of an information security incident. Notifiable incidents are those with either an actual or potential material effect, or those requiring notification to other regulators either in Australia or other jurisdictions.
- Regulated entities must notify APRA within 10 days of becoming aware of a material information security control weakness that is not expected to be remediated in a timely manner.
APRA has also provided further clarification on other requirements in the standard relating to:
- Board information security responsibilities
- Information asset life-cycle
- Annual review and testing of information security response plans
- Nature and frequency of control effectiveness testing commensurate with materiality and frequency of information asset changes
- Reliance on testing of control effectiveness over information assets managed by third or related parties
- The role of internal audit for information assets managed by third or related parties
To assist regulated entities with implementing the requirements of the new standard, APRA will be updating Prudential Practice Guide CPG 234 in the first half of 2019. In preparation, and as recommended in our previous article, regulated entities should assess their current information security control environment, identify any gaps, and develop and execute action plans to address any shortfalls. With its broad scope of security services, Alcorn Group can assist organisations with performing these assessments, as well as provide ongoing support for meeting the new requirements beyond the effective date.