Information security is a constantly evolving and dynamically changing landscape of threat and risk. Organisations that manage significant amounts of Personally Identifiable information (PII) and personal financial information are a particularly attractive target. Unfortunately, in many cases APRA-regulated organisations of all sizes have historically found it challenging to achieve traction with information security initiatives, resulting in broad risk to the financial services industry and associated stakeholders (e.g. fund customers and members). To help with addressing this, APRA released draft Prudential Standard CPS 234 Information Security (CPS 234) in March 2018. This prudential standard sought to ensure that APRA-regulated entities have in place sufficient information security capabilities to ensure resilience against security incidents (e.g. data breaches). The final version of the standard was released in November 2018 and, following industry consultation, comes into effect on 1st July 2019.
CPS 234 applies to all APRA-regulated entities and applies equally regardless of the organisations size and capability. APRA-regulated entities include:
- banks, building societies and credit unions
- life and general insurance and reinsurance companies
- private health insurers
- friendly societies and superannuation funds (excluding self-managed funds).
When considering compliance to CPS 234, APRA-regulated entity must address nine distinct information security areas. These area are as follows:
- Roles and responsibilities – Defining the board and Individual responsibilities for information security
- Information security capability - Measuring and validating on an ongoing basis that the organisation can maintain information security
- Policy framework – Implementing and maintaining foundational organisation policy elements such as risk management, acceptable use, human resource security, change management etc.
- Information asset identification and classification – classifying all information based on criticality and sensitivity
- Implementation of controls – implementing the technical, managerial and operational controls necessary to achieve and maintain the security of information including those managed by third parties. Examples of controls are encryption, backup solution, security awareness training, documented procedures and guidelines etc.
- Incident management – defining and implementing a framework for managing and responding to a security incident when they occur to ensure incident are contained, eradicated, and that the impacted assets are recovered
- Testing control effectiveness – implementing a systematic approach to making sure the implemented controls are suitable and fit for purpose commensurate with the threat landscape, the type of information to be protected, the consequences of an incident and the regularity of change
- Internal audit – establish or extend an internal audit program to provide information security assurance to the board
- APRA notification – defined requirement for APRA to be notified no later than 72 hours after becoming aware of a reportable information security incident. CPS 234 also requires that APRA be notified no later than 10 days after becoming aware of a material security control weakness that can not be resolved in a timely manner.
In defining these requirements, CPS 234 varies from being highly prescriptive, to largely subjective in what it requires. As a result, some organisations may find it challenging to assess compliance. Where this is the case Alcorn Group recommends:
- Understanding the organisation’s core business goals and establish information security objectives that align and are supportive
- The Board should realise and take responsibility of information security and then define individual roles within the organisation to achieve these objectives
- Identification of the critical and important information, and information processing facilities
- The board should support initiatives to protect the information security of critical information assets
- Establishing information security Key Performance Indicators (KPIs) and measure the current state. The board is then able to set KPI target to influence information security and define leadership requirement for success.
For a further guidance on achieving compliance with CPS 234, APRA have released draft prudential practical guide CPG 234, with the final version expected to be released prior to the CPS 234 effectives date (1st July 2019).