APRA released an updated Prudential Practice Guide CPG 234 on managing information security risks, including cyber-crime. APRA also published its response to submissions on the draft CPG 234 Information Security, the consultation for which was launched in March 2019. The updated CPG 234 will assist APRA-regulated entities to embed and comply with the requirements of the new cross-industry prudential standard CPS 234 Information Security, which was release in November 2018 and applies to all APRA-regulated entities from July 01, 2019.
APRA, in March 2019, had proposed to update the cross-industry Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology, which is being renamed as the Prudential Practice Guide CPG 234 Information Security. APRA made a number of minor changes to CPG 234 as part of the final review process. The guide is aimed at boards and senior management as well as risk and information technology experts in regulated entities. It outlines how entities can maintain information security capabilities commensurate with the size and complexity of their business and the sensitivity of the data they possess. It also explains how entities can optimize their resilience when aspects of their information security are managed by third parties. The guide also sets out key information a board could consider in relation to its responsibilities under CPS 234.
CPS 234 is expected to shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks) and their ability to respond swiftly and effectively in the event of a breach. The APRA letter states that, with the July 01 start date for CPS 234 imminent, it is important that all APRA-regulated entities have assessed their level of compliance with the standard and taken appropriate steps to address any gaps. APRA recognizes that the new information security requirements materially raise the bar across the industry and will take time to be fully effective. If an entity assesses that it will not be able to fully comply with the new standard from July 01, it should immediately contact its APRA supervisor.
Keywords: Asia Pacific, Australia, Banking, Insurance, CPG 234, CPS 234, Information Security, Prudential Practice Guide, Cyber Risk, Operational Risk, APRA
The Hong Kong Monetary Authority (HKMA) revised the Supervisory Policy Manual module CG-5 that sets out guidelines on a sound remuneration system for authorized institutions.
The European Banking Authority (EBA) published the final guidelines on the monitoring of the threshold and other procedural aspects on the establishment of intermediate parent undertakings in European Union (EU), as laid down in the Capital Requirements Directive (CRD).
In a recent Market Notice, the Bank of England (BoE) confirmed that green gilts will have equivalent eligibility to existing gilts in its market operations.
The Financial Conduct Authority (FCA) published the policy statement PS21/9 on implementation of the Investment Firms Prudential Regime.
The European Banking Authority (EBA) proposed regulatory technical standards that set out criteria for identifying shadow banking entities for the purpose of reporting large exposures.
The Board of the International Organization of Securities Commissions (IOSCO) proposed a set of recommendations on the environmental, social, and governance (ESG) ratings and data providers.
The European Securities and Markets Authority (ESMA) published recommendations from the Working Group on Euro Risk-Free Rates (RFR) on the switch to risk-free rates in the interdealer market.
The European Central Bank (ECB) published a paper as well as an article in the July Macroprudential Bulletin, both of which offer insights on the assessment of the impact of Basel III finalization package on the euro area.
The International Swaps and Derivatives Association (ISDA) published a paper that explores the impact of the Fundamental Review of the Trading Book (FRTB) on the trading of carbon certificates.
The Prudential Regulation Authority (PRA) published the remuneration policy self-assessment templates and tables on strengthening accountability.