This week, the Australian Prudential Regulation Authority (APRA) has released a final version of CPS 234 on Information security, which is intended to help organisations strengthen their cyber resilience and respond to cyber breaches.
The prudential standard will come into effect on 19 July 2019.
It emphasises the board’s s role and the fact they are ultimately responsible for an organisation’s maintenance of their information security.
This comes just a week after the OAIC released their own quarterly report on the Notifiable Data Breach (NDB) regime. The OAIC quarterly report found that the top industries featured in the quarterly report are the Private health industry and financial industry.
“A significant information security breach at an APRA-regulated entity is almost certainly a question of when – not if. In a worst-case scenario, a major breach could even force a company out of business. As a result, APRA is speeding up implementation of this standard, and expects all regulated entities to meet its requirements by 1 July next year,” APRA Commissioner Geoff Summerhayes said.
The regulator added that in order to help businesses or entities ‘fulfil the requirements’ they will be updating the Prudential Practice Guide CPG 234 Management of Information and Information Technology.
According to the Prudential Standard CPS 234 Information security, APRA-regulated entities must:
clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals;
maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
notify APRA of material information security incidents.