APRA Updates Guidance on Managing Information Security Risks
APRA released an updated Prudential Practice Guide CPG 234 on managing information security risks, including cyber-crime. APRA also published its response to submissions on the draft CPG 234 Information Security, the consultation for which was launched in March 2019. The updated CPG 234 will assist APRA-regulated entities to embed and comply with the requirements of the new cross-industry prudential standard CPS 234 Information Security, which was release in November 2018 and applies to all APRA-regulated entities from July 01, 2019.
APRA, in March 2019, had proposed to update the cross-industry Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology, which is being renamed as the Prudential Practice Guide CPG 234 Information Security. APRA made a number of minor changes to CPG 234 as part of the final review process. The guide is aimed at boards and senior management as well as risk and information technology experts in regulated entities. It outlines how entities can maintain information security capabilities commensurate with the size and complexity of their business and the sensitivity of the data they possess. It also explains how entities can optimize their resilience when aspects of their information security are managed by third parties. The guide also sets out key information a board could consider in relation to its responsibilities under CPS 234.
CPS 234 is expected to shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks) and their ability to respond swiftly and effectively in the event of a breach. The APRA letter states that, with the July 01 start date for CPS 234 imminent, it is important that all APRA-regulated entities have assessed their level of compliance with the standard and taken appropriate steps to address any gaps. APRA recognizes that the new information security requirements materially raise the bar across the industry and will take time to be fully effective. If an entity assesses that it will not be able to fully comply with the new standard from July 01, it should immediately contact its APRA supervisor.
Related Links
Keywords: Asia Pacific, Australia, Banking, Insurance, CPG 234, CPS 234, Information Security, Prudential Practice Guide, Cyber Risk, Operational Risk, APRA
Related Articles
EC Rule on Contractual Recognition of Write Down and Conversion Powers
The European Commission (EC) published the Delegated Regulation 2021/1527 with regard to the regulatory technical standards for the contractual recognition of write down and conversion powers.
APRA Issues Further Guidance on Application of Securitization Standard
The Australian Prudential Regulation Authority (APRA) published a new set of frequently asked questions (FAQs) to provide guidance to authorized deposit-taking institutions on the interpretation of APS 120, the prudential standard on securitization.
SRB Provides Update on Approach to Prior Permissions Regime
The Single Resolution Board (SRB) published a Communication on the application of regulatory technical standard provisions on prior permission for reducing eligible liabilities instruments as of January 01, 2022.
APRA Publishes FAQs on Capital Treatment of Overseas Subsidiaries
The Australian Prudential Regulation Authority (APRA) published a new set of frequently asked questions (FAQs) to clarify the regulatory capital treatment of investments in the overseas deposit-taking and insurance subsidiaries.
EBA Finalizes Guidance to Assess Breaches of Large Exposure Limits
The European Banking Authority (EBA) published the final report on the guidelines specifying the criteria to assess the exceptional cases when institutions exceed the large exposure limits and the time and measures needed for institutions to return to compliance.
PRA Finalizes Changes to Consolidated Prudential Rules Under CRD5/CRR2
The Prudential Regulation Authority (PRA) issued the policy statement PS20/21, which contains final rules for the application of existing consolidated prudential requirements to financial holding companies and mixed financial holding companies.
EBA Revises Guidelines on Stress Tests of Deposit Guarantee Schemes
The European Banking Authority (EBA) revised the guidelines on stress tests to be conducted by the national deposit guarantee schemes under the Deposit Guarantee Schemes Directive (DGSD).
Nordea Bank and EIB Sign Agreement to Fund Green Projects in Nordics
The European Commission (EC) announced that Nordea Bank has signed a guarantee agreement with the European Investment Bank (EIB) Group to support the sustainable transformation of businesses in the Nordics.
HKMA Endorses Industry Guidance to Support LIBOR Transition
The Hong Kong Monetary Authority (HKMA) issued a circular, for all authorized institutions, to confirm its support of an information note that sets out various options available in the loan market for replacing USD LIBOR with the Secured Overnight Financing Rate (SOFR).
OCC Issues Booklet on Supervision of Problem Banks
The Office of the Comptroller of the Currency (OCC) issued a new "Problem Bank Supervision" booklet of the Comptroller's Handbook. The booklet covers information on timely identification and rehabilitation of problem banks and their advanced supervision, enforcement, and resolution when conditions warrant.
