The Australian Prudential Regulation Authority (APRA) has finalised guidance around the Information Security Standard with which APRA-regulated entities will be expected to comply as of 1 July.
APRA have already released a letter to industry, as well as the final version of the cross-industry Prudential Practice Guide CPG 234 Information Security (CPG 234).
Late last year, APRA published the final version of the CPS 234, which requires APRA-regulated entities to:
clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
notify APRA of material information security incidents.
“The new standard and accompanying prudential practice guide will reinforce industry’s ability to withstand these information security threats, and respond effectively when breaches occur. It is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we’ve seen overseas, so they must be prepared,” APRA Executive Board Member Geoff Summerhayes said, earlier this week.