Cyber security is today one of the major risk issues for business, and management of this issue is a focus of attention for directors. Prudentially regulated bodies such as banks and insurers now have mandatory requirements for the management of information security, with the release of a new prudential standard by the Australian Prudential Regulation Authority (APRA).
Application of the standard
Prudential standard CPS 234 Information Security (CPS 234) applies to the full range of APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general and life insurers, private health insurers, and superannuation RSE licensees, among others.
When information security requirements are set out in a prudential standard, they go beyond business risk management and also become a compliance issue. That’s because prudential standards issued by APRA are legal obligations. For example, under the Banking Act, ADIs must comply with prudential standards issued by APRA which apply to them.
APRA-regulated entities therefore need to ask not only whether their information security is fit for purpose, but also whether it complies with the law. The answer to each question is not always the same.
What is information security?
Information security is defined in CPS 234 as “the preservation of an information asset’s confidentiality, integrity and availability.” Information assets, in turn, are defined as information and information technology, including software, hardware and data (both soft and hard copy). The standard therefore applies to paper records as well as digital records; it is not just a standard on cybersecurity.
When the new standard applies
The new standard will take effect on 1 July 2019, except in the case where the APRA-regulated entity’s information assets are managed by a third party. In that case, the requirements will apply to those assets from the renewal date of the contract with the third party, or 1 July 2020 if earlier.
Roles and responsibilities
The Board of an APRA-regulated entity plays a crucial role under CPS 234, which states that ultimate responsibility for information security of the entity rests with its Board, and that the Board must ensure that the entity maintains information security in a manner commensurate with (i.e. proportionate or corresponding to) the size and extent of threats to its information assets, and which enables continued sound operation of the entity.
CPS 234 also requires that information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals with relevant responsibilities are all clearly defined.
APRA-regulated entities are required to maintain an “information security capability” commensurate with the size and extent of threats to their information assets and which enables sound continued operation of the entity.
The standard defines “information security capability” as “the totality of resources, skills, and controls which provide the ability and capacity to maintain information security.”
Maintaining an adequate information security capability is the core obligation which underlies the other requirements in the prudential standard.
Many APRA-regulated entities outsource some of the functions of management of information assets. The standard says that where information assets are managed by a related party or third party, the APRA-regulated entity is required to assess the information security capability of that party, commensurate with the potential consequences of an “information security incident” (i.e., an actual or potential compromise of information security) affecting those assets. Note that this requirement is not limited to material outsourcing arrangements covered by the APRA prudential standard on outsourcing: it applies more generally to any situation where information assets are managed by others.
Information security risks are ever evolving, and so the standard says that the APRA-regulated entity must actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment.
Putting policies in place
APRA regulated entities will be required by CPS 234 to have an information security policy framework which provides direction on the responsibilities of all parties who have an obligation to maintain information security. This may include not only the Board and management but also staff, third parties and even customers. The framework must be proportionate to the exposures to vulnerabilities and threats faced by the entity.
Identifying and classifying assets
CPS 234 says that information assets must be classified by criticality and sensitivity. This includes assets managed by related parties and third parties.
Criticality refers to the potential impact of a loss of availability (e.g. a core banking platform being disabled) while sensitivity refers to the potential impact of a loss of confidentiality or integrity (e.g. a leak of customer data).
The classification of information assets must reflect the degree to which an information security incident affecting an information asset has the potential to affect (either financially or non-financially) the entity, or the interests of depositors, policyholders, beneficiaries, or other customers.
An information security control is defined in the standard as a “prevention, detection or response measure to reduce the likelihood or impact of an information security incident.” APRA-regulated entities must have information security controls to protect their information assets. These controls must be implemented in a timely manner, and the controls must be commensurate with:
- vulnerabilities and threats to the information assets;
- the criticality and sensitivity of the information assets;
- the stage at which the information assets are within their life-cycle (i.e., the process from planning and design through to decommissioning and disposal of an information asset); and
- the potential consequences of an information security incident.
In the case where related parties or third parties manage information assets, the design of that party’s information security controls must be evaluated by the APRA-regulated entity.
APRA-regulated entities must have information security response plans which are annually reviewed and tested. These plans are to respond to information security incidents that the entity considers could plausibly occur. The plans must include mechanisms to manage all stages of an incident and to escalate and report information security incidents to the Board and to other relevant governing bodies and responsible individuals. There must be robust mechanisms to detect and respond to incidents in a timely manner.
Information security controls must be tested through a systematic testing program. The testing program has to be reviewed at least every year and when there is a material change to information assets or the business environment. Testing is to be conducted by specialists who are appropriately skilled and “functionally independent”, and testing results must be reported to the Board or senior management if they identify information security control deficiencies which cannot be remediated in a timely manner.
CPS 234 says that the nature and frequency of testing of controls must be commensurate with:
- the rate at which the vulnerabilities and threats change;
- the criticality and sensitivity of the information asset;
- the consequences of an information security incident;
- the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies (i.e. an “untrusted” environment); and
- the materiality and frequency of change to information assets.
If information assets are managed by a related party or a third party, the APRA-regulated entity may be reliant on that party’s testing. In that case, CPS 234 says that the APRA-regulated entity must assess whether the nature and frequency of testing is commensurate with the factors listed above.
Internal audit has specific functions in relation to information security under CPS 234. Internal audit activities of the APRA-regulated entity must include a review of the design and operating effectiveness of information security controls. This must be conducted by appropriately skilled personnel, and the scope extends to controls maintained by related parties and third parties. In addition, the internal audit function is required to assess the information security control assurance provided by a related party or third party where an information security incident could have a material effect, if internal audit intends to rely on the assurance provided.
APRA notification requirements
CPS 234 introduces a requirement to notify APRA of an information security incident as soon as possible and in any case within 72 hours after becoming aware of the incident. The reporting obligation is triggered when the incident has materially affected, or had the potential to materially affect, financially or non-financially, the entity itself or the interests of depositors, policyholders, beneficiaries, or other customers, or when it has been notified to other regulators in Australia or overseas (e.g. a notifiable data breach reported to the Office of the Australian Information Commissioner). This requirement applies to notifications of security incidents not already captured under other APRA prudential standards such as CPS 232 Business Continuity Management.
Another reporting obligation applies to a material information security control weakness that the entity expects it will not be able to remediate in a timely manner. The entity must report such a weakness to APRA as soon as possible and in any event no later than 10 business days after it becomes aware of the weakness.
Patrick Dwyer and Kathleen Harris
Click here to subscribe to our email list for news, comment and analysis