APRA seeks industry guidance on new cyber-crime standard


Australia’s chief prudential regulator, APRA, is seeking feedback from financial services on a proposed cross-industry guide to manage cyber risk and resist cyber-crime.

An update to the existing CPG 234 standard, the Prudential Practice Guide 234 Information Security (CPG 234), has been developed to support financial services in implementing APRA’s new cross-industry prudential standard on information security– the CPS 234 – which will come into force on 1 July this year.

The guide will be aimed at boards and senior management, as well as risk and information technology experts.

The CPG 234 will provide guidance on addressing several common information security weaknesses observed by APRA through “its regular supervisory activities,” APRA said in a statement.

“It outlines how entities can maintain information security capabilities commensurate with the size and complexity of their business and the sensitivity of the data they possess. It also explains how entities can optimise their resilience when aspects of their information security are managed by third parties.”

The new Prudential Standard CPS 234 Information Security aims to “shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks), and their ability to respond swiftly and effectively in the event of a breach.”

Commenting on the final release of the CPS 234 standard in November last year, APRA Executive Board Member Geoff Summerhayes said the introduction of the industry cyber standard will “ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face.”

“Australia’s banks, insurers and superannuation funds are major targets of cyber-crime, and the risk is accelerating as attackers gain in skill and technological sophistication. Unfortunately, it is only a matter of time until a significant cyber breach occurs at an Australian financial institution,” Summerhayes said.

APRA will review industry feedback over an eight-week consultation period before the final release of the CPG 234.

Interested stakeholders can access the consultation proposal here.