Following the release of the final version of the new Prudential Standard on information security, we explore the key requirements and expectations for regulated entities and look at what steps institutions should be taking in preparation of the 1 July 2019 start date.
Given the evolution of technology use within financial institutions and a reliance on third party providers, there is a heightened risk of breaches and incidents. As a result, it is no surprise that APRA has taken action to issue a Prudential Standard to provide more clarity around best practice and expectations, in order to help institutions reduce both the likelihood and impact of information security events.
Key requirements and possible preparatory actions for the implementation of CPS 234 are detailed below.
• Document an information security policy/framework if not already in place
Following on from the Notifiable Data Breach Scheme under the Privacy Act, many regulated institutions will have formalised frameworks for data breaches if they did not previously have anything in place. CPS 234 moves beyond this into the need to improve and maintain adequate capabilities for the management of information security more broadly and this starts with a need to sufficiently document controls and responsibilities.
• Clear allocation of responsibility for Information Security for Board, Management and individuals
It is no longer acceptable for IT to only be the concern of the IT department. This means institutions will need to properly define and allocate responsibilities for information security and find ways to help build the bridge between what is often viewed as a highly specialist area with its own language, and the common language of risk management throughout the rest of the organisation.
• Increased requirements for annual disaster recovery testing including information security response plans
APRA is expecting all entities to develop information security response plans for any information security event that is likely to occur. In this way, APRA is expecting entities to take an ‘assumed breach’ position in order to document specific responses. These will then need to be reviewed and tested annually. This will typically require an enhancement to existing disaster recovery plans to more specifically capture responses to information security events.
A key benefit of creating more specific response plans is that it helps to spread awareness and knowledge of both roles and controls around the business. In addition, it provides a means of testing and assessing the sufficiency of existing controls, which can in turn reduce the level of threat.
Prevention is obviously ideal, but the increase in external threats and the ease of human error both make it more essential than ever to be prepared for responding to an actual event.
• Internal audit to test controls regularly
If information security has not already been built into internal audit programs, entities will need to start considering this for future plans in order to meet this requirement.
• APRA notification requirements
> Within 72 hours for ‘material’ incidents, or incidents notified to other regulatory bodies
> Within 10 days for a material weakness in controls
While there continues to be some overlap in these notification requirements with other notification requirements (e.g. the Privacy Act), APRA has in its final version reconsidered the very onerous and challenging requirement to provide notifications within 24 hours, and to align the notification timeframe for a material weakness with other prudential standards at 10 business days. The 72 hour notification timeframe could still prove problematic for institutions, who will need to set out clear definitions of what is ‘material’ in order to escalate these faster.
To do list
While many will have commenced addressing these requirements, we’ve put together a handy summary to help you make sure that you are on track.
1. Clearly document controls and responsibilities for Information Security
Ensure that existing procedures are well documented and commence work to enhance any areas that are considered weak.
APRA has set out its expectations that all information assets must be classified by criticality and sensitivity. As such, entities will need to commence thorough documentation of this if they have not otherwise.
2. Enhance documentation and processes for incident management
With a greater onus on reporting of information security incidents to multiple regulatory bodies and a greater expectation on the actual response in relation to an event, incident management processes may need to be improved. Material incidents need to be well-defined and understood, along with ensuring awareness of individual’s roles in incident management and the reporting of incidents. This will likely see a need for additional training on incident management in order for incidents to be identified and reported in a timely manner.
3. Contact IT Service providers
Proactively seek confirmation of their compliance with CPS 234 where possible.
Ensure there is sufficient internal understanding of the controls in place and exactly what controls are being relied on. Entities are expected to assess the information security capability of third parties and this will require a deeper understanding of their processes and controls.
4. Further develop disaster recovery plans and testing programs to include information security response plans
5. Start scheduling controls testing into internal audit plans
It will be critical to fully document the internal controls in order for Internal Audit to conduct controls testing. In many cases, IT staff perform a significant array of controls testing throughout the year that is not well understood by others in the organisation. This will need to be better defined and built into the process too.
Finally, keep an eye out for additional guidance on APRA’s expectations when they update Prudential Practice Guide CPG 234 Management of Information and Information Technology in the near future.