In November 2018, APRA released the Prudential Standard 234 for Information Security. The standard came into force on 1 July 2019. If your information assets are managed by a third party, then entities had until 1 July 2020 to be compliant.
All APRA regulated entities (Banking, Insurance, Life Insurance, Health Insurance and Superannuation organisations) are required to ensure that their information security capability (resources, skills and controls) are proportionate to the size and extent of the threats to their information assets.
In a recent speech APRA has indicated that many entities who have self attested compliance have been found to be non-compliant in the following areas:
The speech can be viewed here: Executive Board Member Geoff Summerhayes - speech to Financial Services Assurance Forum (Thursday 26 November 2020) https://www.apra.gov.au/news-and-publications/executive-board-member-geoff-summerhayes-speech-to-financial-services
They have indicated that an assurance program will commence in early 2021.
What is APRA planning to do?
Cyber Risk Assessment: We perform or evaluate your cyber risk assessment in defining both the criticality and sensitivity of your information assets, as well as the size and extent of the threats faced. This includes gap analysis of existing security controls against the standard.
Internal Audit Staff Augmentation: We appreciate companies will have a challenge resourcing staff adequately to perform the internal audit requirements. Cyber security expertise may be lacking in Internal Audit teams. Our Tannhauser team will augment your existing internal audit function capability.
Independent Testing: We perform independent security control audit and testing for a variety of complex technology environments.
Cyber Resilience: Finally we help you develop incident response management plans, train staff how to respond to a cyber attack and effectively test these in real-time with simulation workshops and red team exercises.
Contact us for the latest cyber security updates to regulatory and legislative requirements for your business.
Further APRA Prudential Standard CPS 234 Information Security guidance is located here: https://www.apra.gov.au/information-security