APRA has released the final version of its prudential standard focused on information security management. The new Prudential Standard CPS 234 Information Security will shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks) and their ability to respond swiftly and effectively in the event of a breach. Following extensive consultation with the industry, APRA also published a Response to Submissions paper outlining the final form of the standard. This Prudential Standard commences on July 01, 2019.
Where an APRA-regulated entity’s information assets are managed by a third party, the requirements in this Prudential Standard will apply in relation to those information assets from the earlier of the next renewal date of the contract with the third party or July 01, 2020. This prudential standard will apply to APRA-regulated entities, including authorized deposit-taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities (RSE licensees), and authorized or registered non-operating holding companies. CPS 234 requires APRA-regulated entities to:
- Clearly define information-security related roles and responsibilities
- Maintain an information security capability commensurate with the size and extent of threats to their information assets
- Implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls
- Promptly notify APRA of material information security incidents
APRA first released a discussion paper in March outlining the intended requirements of the new prudential standard. Industry was supportive of the intent and direction of CPS 234. APRA agreed to make several amendments, including clarifying requirements for information assets managed by third parties and modifying the timeframes for notifying APRA of information security incidents and material information security control weaknesses. To help entities fulfill their requirements, APRA will shortly update the Prudential Practice Guide CPG 234 on Management of Information and Information Technology.
Effective Date: July 01, 2019/July 01, 2020
Keywords: Asia Pacific, Australia, Banking, Insurance, CPS 234, Cyber Risk, Regtech, Prudential Standard, APRA
Previous ArticleHKMA Exempts Entities Outside Hong Kong from Local IRRBB Framework
EBA published a report analyzing the impact of the unwind mechanism of the liquidity coverage ratio (LCR) for a sample of European banks over a three-year period, from the end of 2016 to the first quarter of 2020.
In response to questions from a member of the European Parliament, the ECB President Christine Lagarde issued a letter clarifying the possibility of amending the AnaCredit Regulation and making targeted longer-term refinancing operations (TLTROs) dependent on the climate-related impact of bank loans.
IASB started the post-implementation review of the classification and measurement requirements in IFRS 9 on financial instruments and added the review as a project to its work plan.
FSB published a report that examines progress in implementing policy measures to enhance the resolvability of systemically important financial institutions.
EBA published a report on the benchmarking of national loan enforcement frameworks across 27 EU member states, in response to the call for advice from EC.
FSB published a letter from its Chair Randal K. Quarles, along with two reports exploring various aspects of the market turmoil resulting from the COVID-19 event.
RBNZ launched a consultation on the details for implementing the final Capital Review decisions announced in December 2019.
The Trustees of the IFRS Foundation, which are responsible for the governance and oversight of IASB, have announced the appointment of Dr. Andreas Barckow as the IASB Chair, effective July 2021.
HKMA issued a letter to consult the banking industry on a full set of proposed draft amendments to the Banking (Capital) Rules for implementing the Basel standard on capital requirements for banks’ equity investments in funds in Hong Kong.
ESRB published an opinion assessing the decision of Swedish Financial Supervisory Authority (FSA) to extend the application period of a stricter measure for residential mortgage lending, in accordance with Article 458 of the Capital Requirements Regulation (CRR).