Security Market Segment LS
Tuesday, 25 June 2019 18:43

New infosec rules for banks, other APRA-regulated entities from 1 July Featured

New infosec rules for banks, other APRA-regulated entities from 1 July Image by Jason Goh from Pixabay

Banks and other businesses regulated by the Australian Prudential Regulation Authority will have to abide by a new set of rules governing information security, including cyber crime, from 1 July.

Under the new rules, released on Tuesday, the board of an APRA-regulated entity is ultimately responsible for the information security of the entity. The board will also be held responsible for any third parties and related entities that are brought in to manage security.

The guide, titled Prudential Practice Guide CPG 234 Information Security, replaces the older CPG 234 Management of Security Risk in Information and Information Technology.

The APRA also released a letter to industry about submissions made on the draft guide which was released in March, emphasising the need to maintain oversight of all third parties who manage information security on behalf of a business.

In assessing its ability to manage its information security needs, the APRA said any regulated entity could consider the following:

  • vulnerability and threat management;
  • situational awareness and intelligence;
  • information security operations and administration;
  • secure design, architecture and consultation;
  • security testing, including penetration testing;
  • information security reporting and analytics;
  • incident detection and response, including recovery, notification and communication;
  • information security investigation, including preservation of evidence and forensic analysis; and
  • information security assurance.

If third parties or related entities were called in to look after information security needs, interviews, service reporting, control testing, certifications, attestations, referrals and independent assurance assessments were recommended to ascertain whether any capability gaps existed.

"It is increasingly common for third parties to rely on other service providers to deliver an end-to-end service. This introduces additional vulnerabilities and threats. Under such circumstances, APRA’s expectation is that an APRA-regulated entity would take reasonable steps to satisfy itself that the third party has sufficient information security capability to manage the additional threats and vulnerabilities resulting from such arrangements," the guide said.

It covers the entire gamut of information security, including penetration testing, updating and maintaining software, incident response, systematic testing by independent testers, end-of-life issues for software, and what a regulated business must do in the case of a disruption.

Any breach is expected to be notified as soon as possible, even if the information is incomplete.

Geoff Summerhayes, APRA executive board member, said: “Cyber-adversaries are targeting Australia’s banks, insurers and superannuation licensees with growing frequency and sophistication.

“The new standard and accompanying prudential practice guide will reinforce industry’s ability to withstand these information security threats, and respond effectively when breaches occur. It is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we’ve seen overseas, so they must be prepared.

“Although many institutions are well advanced, we recognise that the new requirements materially raise the bar across the entire industry and will take time to be fully effective. We expect to see continuous improvement. If an entity assesses that it may not be able to fully comply with the new standard from 1 July, it should immediately advise its APRA supervisor."

Bede Hackney, ANZ country manager of cyber exposure firm Tenable, said it was important for APRA-regulated entities to understand where they were exposed and to what extent and how they could prioritise remediation efforts based on risk.

"Banks are racing to keep up with customer demand for tech-savvy and efficient services that conveniently fit into their digital lives," he said. "These expectations have forced banks to compete as digital businesses, delivering tailored services which can be accessed 24 hours a day from any device. This imperative to transform has created new security risks, with many organisations struggling to remediate vulnerability across their environments, making the sensitive financial information they store a high-value target for cyber criminals.

"The rise in high-profile data breaches and cyber crime has prompted corporate boards to pay closer attention to their organisations' security practices. With CPS-234 coming into effect, it has never been more important for banks to have visibility into all assets across their digital infrastructure, to continuously identify vulnerabilities and misconfigurations, and accurately prioritise their response to rigorously protect customer data."


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments