The new standards developed by the Australian Prudential Regulation Authority will shore up regulated entities’ resilience against information security incidents including cyber attacks.
The standards, referred to as CPS 234 also enables entities to respond swiftly and effectively in the event of a security breach.
The standards require entities to clearly define information-security roles, maintain an information security capability, implement and test controls to protect assets and notify APRA of any incidents.
APRA released a discussion paper in March about the standards and the finalised standards include several amendments made after consultation with the industry around requirements of third parties and notification timelines.
APRA executive board member Geoff Summerhayes said that Australian financial services companies were increasingly under attack from cyber adversaries.
“A significant information security breach at an APRA-regulated entity is almost certainly a question of when – not if. In a worst-case scenario, a major breach could even force a company out of business. As a result, APRA is fast-tracking implementation of this standard, and expects all regulated entities to meet its requirements by 1 July next year,” he said.
Mr Summerhayes said the introduction of the new standards would ensure all entities were able to keep hold of the data and stop any threats.
“By introducing CPS 234, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face.”
