APRA Consults on First Prudential Standard for Tackling Cyber Attacks

Key areas where APRA is hoping to lift standards include assurance over the cyber capabilities of third parties such as service providers and enhancing entities’ ability to respond to, and recover from, cyber incidents. APRA proposes to apply this standard authorized deposit-taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities (RSE licensees), and authorized or registered non-operating holding companies. APRA intends to finalize the proposed standard toward the end of the year, with a view to implementing CPS 234 from July 01 next year. The proposed new standard, CPS 234, would require regulated entities to:

• Clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies, and individuals
• Maintain information security capability commensurate with the size and extent of threats to information assets and which enables the continued sound operation of the entity
• Implement information security controls to protect its information assets and undertake systematic testing and assurance regarding the effectiveness of those controls
• Have robust mechanisms in place to detect and respond to information security incidents in a timely manner
• Notify APRA of material information security incidents

Related Links

• Press Release
• Consultation on CPS 234
• Cyber Security Survey, 2017

Comment Due Date: June 07, 2018

Keywords: Asia Pacific, Australia, Banking, Insurance, CPS 234, Cyber Risk, Prudential Standard, APRA