Under the new rules, released on Tuesday, the board of an APRA-regulated entity is ultimately responsible for the information security of the entity. The board will also be held responsible for any third parties and related entities that are brought in to manage security.
The guide, titled Prudential Practice Guide CPG 234 Information Security, replaces the older CPG 234 Management of Security Risk in Information and Information Technology.
The APRA also released a letter to industry about submissions made on the draft guide which was released in March, emphasising the need to maintain oversight of all third parties who manage information security on behalf of a business.
- vulnerability and threat management;
- situational awareness and intelligence;
- information security operations and administration;
- secure design, architecture and consultation;
- security testing, including penetration testing;
- information security reporting and analytics;
- incident detection and response, including recovery, notification and communication;
- information security investigation, including preservation of evidence and forensic analysis; and
- information security assurance.
If third parties or related entities were called in to look after information security needs, interviews, service reporting, control testing, certifications, attestations, referrals and independent assurance assessments were recommended to ascertain whether any capability gaps existed.
"It is increasingly common for third parties to rely on other service providers to deliver an end-to-end service. This introduces additional vulnerabilities and threats. Under such circumstances, APRA’s expectation is that an APRA-regulated entity would take reasonable steps to satisfy itself that the third party has sufficient information security capability to manage the additional threats and vulnerabilities resulting from such arrangements," the guide said.
It covers the entire gamut of information security, including penetration testing, updating and maintaining software, incident response, systematic testing by independent testers, end-of-life issues for software, and what a regulated business must do in the case of a disruption.
Any breach is expected to be notified as soon as possible, even if the information is incomplete.
Geoff Summerhayes, APRA executive board member, said: “Cyber-adversaries are targeting Australia’s banks, insurers and superannuation licensees with growing frequency and sophistication.
“The new standard and accompanying prudential practice guide will reinforce industry’s ability to withstand these information security threats, and respond effectively when breaches occur. It is only a matter of time until an Australian financial institution suffers a material information security breach of the kind we’ve seen overseas, so they must be prepared.
“Although many institutions are well advanced, we recognise that the new requirements materially raise the bar across the entire industry and will take time to be fully effective. We expect to see continuous improvement. If an entity assesses that it may not be able to fully comply with the new standard from 1 July, it should immediately advise its APRA supervisor."
Bede Hackney, ANZ country manager of cyber exposure firm Tenable, said it was important for APRA-regulated entities to understand where they were exposed and to what extent and how they could prioritise remediation efforts based on risk.
"Banks are racing to keep up with customer demand for tech-savvy and efficient services that conveniently fit into their digital lives," he said. "These expectations have forced banks to compete as digital businesses, delivering tailored services which can be accessed 24 hours a day from any device. This imperative to transform has created new security risks, with many organisations struggling to remediate vulnerability across their environments, making the sensitive financial information they store a high-value target for cyber criminals.
"The rise in high-profile data breaches and cyber crime has prompted corporate boards to pay closer attention to their organisations' security practices. With CPS-234 coming into effect, it has never been more important for banks to have visibility into all assets across their digital infrastructure, to continuously identify vulnerabilities and misconfigurations, and accurately prioritise their response to rigorously protect customer data."