APRA offers deferral option on critical information security standard

APRA offers deferral option on critical information security standard

APRA has offered some reprieve for stressed financial institutions bearing the brunt of Covid-19-related shutdowns, allowing for a six-month deferral in implementing an amendment to the CPS 234 Information Security standard.

While the original launch date of 1 July remains unchanged, regulated businesses can now request an up to six-month extension (to 1 January 2021) from the watchdog on implementing the CPS 234 Information Security (third-party arrangements transition provision) standard. Business seeking the extension, however, must apply separately to APRA and assessed by the regulator “on a case-by-case basis”.

Entities seeking an extension will be required to advise APRA of the nature of their third-party arrangements, as well as how they are monitoring the risks associated with these arrangements.

The cross-industry CPS 234 standard, enacted on 1 July last year, broadly requires all APRA regulated entities to implement appropriate information security capabilities to ensure resilience against data breach, data loss or any unauthorised alteration of information assets.

The third-party arrangements transition provision of CPS 234, a separate amendment, demands added “information security capability, information asset identification and classification, implementation of controls, testing control effectiveness and internal audit to apply to assets managed by related parties and third parties” of APRA-regulated entities.

In revising the standards implementation dates, APRA said it had “sought to balance the need to ensure its prudential framework remains fit for purpose with enabling APRA-regulated entities to focus their time and resources on dealing with the impact of Covid-19”.

“Given the potential for increased vulnerability to cyber risks in the current environment, APRA advises all regulated entities to remain vigilant in maintaining their information security.”

APRA has also announced a temporary stay on the implementation of standards: CPS 226 Margining and Risk Mitigation for Non-Centrally Cleared Derivatives (phase-in of initial margin requirements), APS 220 Credit Risk Management, and APS 222 Associations with Related Entities, ARS 222.0 Exposures to Related Entities, ARS 222.2 Exposures to Related Entities – Step-in risk.