APRA Updates Guidance on Managing Information Security Risks
APRA released an updated Prudential Practice Guide CPG 234 on managing information security risks, including cyber-crime. APRA also published its response to submissions on the draft CPG 234 Information Security, the consultation for which was launched in March 2019. The updated CPG 234 will assist APRA-regulated entities to embed and comply with the requirements of the new cross-industry prudential standard CPS 234 Information Security, which was release in November 2018 and applies to all APRA-regulated entities from July 01, 2019.
APRA, in March 2019, had proposed to update the cross-industry Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology, which is being renamed as the Prudential Practice Guide CPG 234 Information Security. APRA made a number of minor changes to CPG 234 as part of the final review process. The guide is aimed at boards and senior management as well as risk and information technology experts in regulated entities. It outlines how entities can maintain information security capabilities commensurate with the size and complexity of their business and the sensitivity of the data they possess. It also explains how entities can optimize their resilience when aspects of their information security are managed by third parties. The guide also sets out key information a board could consider in relation to its responsibilities under CPS 234.
CPS 234 is expected to shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks) and their ability to respond swiftly and effectively in the event of a breach. The APRA letter states that, with the July 01 start date for CPS 234 imminent, it is important that all APRA-regulated entities have assessed their level of compliance with the standard and taken appropriate steps to address any gaps. APRA recognizes that the new information security requirements materially raise the bar across the industry and will take time to be fully effective. If an entity assesses that it will not be able to fully comply with the new standard from July 01, it should immediately contact its APRA supervisor.
Related Links
Keywords: Asia Pacific, Australia, Banking, Insurance, CPG 234, CPS 234, Information Security, Prudential Practice Guide, Cyber Risk, Operational Risk, APRA
Related Articles
EBA Issues Erratum for Phase 2 Package of Reporting Framework 3.0
EBA published an erratum for the technical package on phase 2 of the reporting framework 3.0.
MAS Amends Notice on Related Party Transactions of Banks
MAS amended Notice 643A that addresses requirements for banks to prepare statements of exposures and credit facilities to related concerns or parties.
ECB Amends Guideline on Euro Short-Term Rate
ECB has published, in the Official Journal of the European Union, the Guideline 2021/565 on the euro short-term rate (€STR) and this guideline amends the previous ECB Guideline 2019/1265.
EBA Consults on Standards Related to FRTB-SA
EBA launched a consultation on the draft regulatory technical standards on the list of countries with an advanced economy for calculating the equity risk under the alternative standardized approach (FRTB-SA).
PRA Proposes Rules Related to IRB Approach for Credit Risk
PRA is proposing, via CP7/21, the approach to implementing new requirements related to the specification of the nature, severity, and duration of an economic downturn in the internal ratings-based (IRB) approach to credit risk.
BoE Outlines Regulatory Treatment of Recovery Loan Scheme of UK
The UK government launched the Recovery Loan Scheme (RLS) as part of its continued COVID-19 support for UK businesses, as announced by HM Treasury on March 03, 2021.
FSB Addresses G20 on COVID Measures, TBTF Reforms, and Climate Risks
FSB published a letter, from its Chair Randal K. Quarles, to the G20 Finance Ministers and Central Bank Governors, ahead of their virtual meeting on April 07, 2021.
OSFI Unwinds Temporary Increase to Covered Bond Limit for Banks
OSFI issued a letter to the deposit-taking institutions issuing covered bonds and announced the unwinding of the temporary increase to the covered bond limit for deposit-taking institutions, effective immediately.
EU Amends CRR and Securitization Regulation in Response to Pandemic
To support recovery from the COVID-19 crisis, EU has published two regulations to amend the securitization framework, as set out in the Securitization Regulation (2017/2402) and the Capital Requirements Regulation or CRR (575/2013).
HM Treasury Announces G7 Agreement on Green Agenda Ahead of COP26
HM Treasury announced that G7 Finance Ministers and Central Bank Governors met ahead of COP 26, the 2021 UN Climate Change Conference, and agreed on green agenda.