The Australian financial services regulator wants to shore up the security of Australia's finance industry by making banks adhere to a cyber security prudential standard.
Until now, information security risk management has been covered under a practice guide - which provides guidance on how supervised institutions can satisfy the prudential standards - as well as under two broader risk management standards.
But the Australian Prudential Regulation Authority (APRA) now wants to create a dedicated prudential standard for cyber security to ensure financial services firms are keeping their systems secure against the latest trends in attack.
Prudential standards are legally binding and set out minimum capital, governance and risk management requirements.
APRA revealed it was intending to make cyber security a prudential requirement in its policy priorities paper [pdf] for 2018 in late January, but declined to provide any information at that time.
It undertook consultation with industry over the proposal throughout the beginning of this year, and today released its proposed cyber security standard for further consultation.
"The package is aimed at shoring up the ability of APRA-regulated entities to repel cyber adversaries, or respond swiftly and effectively in the event of a breach," it said.
The CPS 234 standard would require regulated entities to:
- clearly define the IT security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
- maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity;
- implement controls to protect information assets, and undertake systematic testing and assurance as to their effectiveness;
- have robust mechanisms in place to detect and respond to cyber incidents in a timely manner; and
- notify APRA of material information security incidents.
"No APRA-regulated entity has experienced a material loss due to a cyber incident, but a significant breach is probably inevitable. In a worst-case scenario, a cyber attack could even force a company out of business," APRA executive board member Geoff Summerhayes said in a statement.
"Cyber security is generally well-handled across the financial sector, but with criminals constantly refining and expanding their tools and capabilities, complacency is not an option."
APRA said it hoped the standard would improve assurance over the security capabilities of third party providers, and make regulated entities more equipped to respond to and recover from security incidents.
"Implementing legally binding minimum standards on information security is aimed at increasing the safety of the data Australians entrust to their financial institutions and enhance overall system stability," Summerhayes said.
APRA will take submissions on the proposed standard until June 7, and intends to implement it from July 1 next year.
Its policy paper also revealed a plan to update its requirements for outsourcing and business continuity.
The two standards (outsourcing and business continuity) were last updated in July 2017. APRA at the time declined to comment on what specific updates it planned to make.
"The objective of this initiative is to align prudential requirements with industry better practice and community expectations for a high degree of resilience to material operational risk incidents," its policy paper states.
"Subsequently, requirements for operational risk management and revised standards for
business continuity and outsourcing (updated to cover service provision more broadly) will be
issued for consultation."
The document indicates APRA will start consultation on these areas in the second half of this year, with a view to implement changes from 2019.
