APRA has released a draft of the Prudential Practice Guide CPG 234 Information Security for consultation. This provides a reminder that the due date for compliance with Prudential Standard CPS 234 Information Security is 1 July 2019.
The aim of the guide is to provide assistance to APRA-regulated entities in maintaining and supervising information security across the enterprise. It will also provide useful guidance to other corporates seeking a best practice approach to cyber-security management.
The key requirements of CPS 234 are:
It will be important, as with any information security framework, to have the appropriate technical measures, processes, policies and procedures in place. Our article on APRA CPS 234 Information Security provides further information on how to prepare. However, CPS 234 will have a broader impact.
CPS 234 recommends a number of areas to address when updating an organisation’s information security policy. This will help the entity achieve wider compliance with CPS 234. For example, an updated policy should cover the identification and classification of security incidents, reporting and escalation guidelines, the preservation of evidence and an incident investigation process.
CPS 234 applies to material information security incidents. Many of these incidents will involve data being compromised. Often, an assessment whether that data includes personal information will be required. There is significant potential for the revised information security framework to overlap with other framework, notably Australia’s notifiable data breach scheme and the European Union’s General Data Protection Regulation (GDPR) which applies to many Australian organisations.
The challenge will be that an information security incident may require an assessment and notification under CPS 234, Australia’s Privacy Act and the GDPR with the threshold for notification and the timeframes varying under each of these regimes. This provides a good opportunity for entities to review the interaction between their internal policies and procedures relating to information security incidents and those relating to data and privacy breaches.
While not all information security incidents will need to be raised with the privacy and legal teams, spending the time to establish expectations and business rules about how to deal with an incident involving data privacy matters will be a valuable investment. Some of the issues that organisations will want to consider include:
This requires more than a robust information security policy or data breach plan. Organisations should consider how the teams work together to share information at the right time and in the right way to allow these incidents to be assessed and managed properly.
Obligations under CPS 234 extend to information assets managed by or controlled by third party suppliers. This is not limited to outsourced material business activities covered under CPS 231 Outsourcing or SPS 231 Outsourcing.
Entities should assess their contracts and check it has the rights needed to meet its obligations. Areas of focus will include: maintenance of cyber-security controls, disclosure of security control design, adherence to the customer’s security policies, on-going testing or certification/assurance processes, rectification of identified weaknesses, and incident response plans and information sharing. Some contracts will require variation and/or re-negotiation.
Supplier contracts must comply with CPS 234 from the earlier of the next renewal date (after 1 July 2019) or 1 July 2020.
CPS 234 has stringent notification requirements for ‘material’ information security incidents, being an ‘incident that materially affects, or has the potential to materially affect, financially or non-financially, the entity of the interests of depositors, policy holders, beneficiaries or other customers’.
Such incident must be notified to APRA within 72 hours of becoming aware of the incident. In addition, the entity must notify APRA of any other incident that has been notified to other regulators anywhere in the world within the same 72 hour window (which may also trigger the need to notify other regulators such as the Office of the Australian Information Commissioner (OAIC) or a supervising authority under the GDPR).
The relatively short timeline makes it important that there are clear reporting obligations on any third party supplier and also that the supplier is required to meet the entity’s security incident response plan. As noted above, this is an area that would benefit by close convergence with any existing and applicable data privacy breach reporting regime.
CPS 234 requires that the level of controls to be put in place should be commensurate to the criticality and sensitivity of the information assets under consideration. As such, an entity must consider criticality (the potential impact on the loss of availability of the information) and the sensitivity (the potential impact of a loss of confidentiality or integrity of the information) of each information asset. The impact should be assessed as it applies to the entity and it customers.
CPG 234 confirms that:
This assessment will provide entities seeking to become compliant with a clear list of priorities for action.
If you would like further information regarding compliance with CPS 234, KPMG Law’s technology law specialists are able to advise, either on legal aspects or as part of a wider review in conjunction with KPMG’s broader CPS 234 team.
© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. Liability limited by a scheme approved under Professional Standards Legislation.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.