Boards of Australian financial firms face tougher infosec rules from 1 July

Security really is a board problem for APRA-regulated entities as of Monday.
Written by Asha Barbaschow, Contributor

From the start of the new financial year, financial institutions regulated under the Australian Prudential Regulation Authority (APRA) will have a fire lit beneath them to take cybersecurity a little bit more seriously.

The new instruction comes by way of APRA's CPS-234 Information Security standard [PDF] and will require boards of APRA-regulated entities to be ultimately responsible for ensuring that the entity maintains its information security.

"This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats," the standard explains.

See also: APRA advises regulated entities to manage risks when adopting cloud

Under the new directive, an APRA-regulated entity must clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies, and individuals.

They must also keep and maintain a log that details the size and extent of threats to its information assets, as well as implement controls to protect its information assets log and undertake "systematic testing and assurance regarding the effectiveness of those controls".

Additionally, the entity must notify APRA of "material" information security incidents.

An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident.

What constitutes an incident is if it materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers; or has been notified to other regulators, either in Australia or other jurisdictions.

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Additionally, an APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 10 business days after it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner.

"The board of an APRA-regulated entity is ultimately responsible for the information security of the entity. The board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity," APRA said.

Under the new standard, an APRA-regulated entity must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity.

"Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets," the regulator added.

The standard is made under section 11AF of the Banking Act 1959, section 32 of the Insurance Act 1973, section 230A of the Life Insurance Act 1995, section 92 of the Private Health Insurance (Prudential Supervision) Act 2015, and section 34C of the Superannuation Industry (Supervision) Act 1993 (SIS).

As such, it applies to all APRA-regulated entities, defined authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act; general insurers, non-operating holding companies authorised under the Insurance Act, and parent entities of Level 2 insurance groups; life companies, including friendly societies, eligible foreign life insurance companies, and non-operating holding companies registered under the Life Insurance Act; private health insurers registered under the PHIPS Act; and RSE licensees under the SIS Act in respect of their business operations.

See also: Tips for building and advancing your leadership career (free PDF) (TechRepublic)

Speaking with ZDNet about the looming mandate, Tenable ANZ country manager Bede Hackney said the new standard was an appropriate mechanism to make financial institutions in Australia aware of the threats they face.

"The added focus and attention on cybersecurity in the banking industry is certainly welcomed," he said. "Banks have become an attractive target for bad actors looking to monetise their efforts. And the growing number of IoT devices, public cloud services, and ephemeral applications are rapidly expanding the attack surface.

"It's important that regulators, boards of directors, executives and organisations everywhere continue to prioritise cybersecurity now and well into the future."

The new mandate solidifies the idea of cybersecurity being a board-level problem, but it also means boards will need to wrap their head around a new domain of technology.

"Boards will be held accountable following cyber incidents, so it's important they understand where the organisation is exposed and to what extent they have effective remediation processes in place," Hackney continued.

"However, not all executives are well-versed in IT security jargon. CISOs and their security teams must clearly communicate the organisation's security posture in business terms, arming the board and other executives with actionable insight on how best to reduce risk. Collaboration and engagement are key."


Editorial standards