Information security requirements for all APRA-regulated entities
APRA is releasing a new prudential standard and updated guidance in relation to information security across all APRA-regulated industries. As technological developments continue to expand, the scope and sophistication of potential malicious activity against financial institutions will increase. The new requirements and guidance will help regulated entities to manage these risks.
Consultation on Prudential Practice Guide CPG 234 Information Security – Closed
June 2019
In June 2019, APRA released a response letter on the submissions received on the updated cross-industry Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology, renamed as Prudential Practice Guide CPG 234 Information Security (CPG 234).
This response letter details the more substantive matters raised in submissions and APRA’s responses. In addition, APRA has made a number of minor changes to CPG 234 as part of the final review process.
The response letter and prudential practice guide can be found below:
Response letter
Prudential practice guide
Non-confidential submissions
We received 5 non-confidential submissions on the updated cross-industry Prudential Practice Guide CPG 234 Information Security:
March 2019
In March 2019, APRA released for consultation an updated draft Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology.
The updated draft CPG 234, renamed as Prudential Practice Guide CPG 234 Information Security, is designed to assist regulated entities in complying with CPS 234 on an ongoing basis, as well as providing APRA’s observations as to what constitutes good practice in information security.
Written submissions were received until 17 May 2019.
The consultation letter and draft prudential practice guide can be found below:
Consultation letter
Draft prudential practice guide
Consultation on the proposed cross-industry prudential standard CPS 234 Information Security –Closed
November 2018
In November 2018, after having received and addressed a large number of submissions in response to the March consultation on draft CPS 234, APRA released the final version of Prudential Standard CPS 234 Information Security (CPS 234).
These information security requirements are designed to ensure APRA-regulated entities have in place appropriate information security capabilities to be resilient against information security incidents. The new CPS 234 will commence on 1 July 2019.
The response letter and Prudential Standard CPS 234 Information Security can be found below:
Response letter
Prudential standard
March 2018
In March 2018, APRA released for consultation a discussion paper on the introduction of a new cross-industry framework for the management of information security.
The proposed requirements are specified in the draft Prudential Standard CPS 234 Information Security (draft CPS 234), which APRA proposes to apply to authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers, licensees of registrable superannuation entities (RSE licensees) and authorised or registered non-operating holding companies.
Written submission on the proposals set out on this discussion paper were received until 7 June 2018.
The discussion paper, draft prudential standard and non-confidential submissions can be found below:
Discussion paper
Draft prudential standard
Non-confidential submissions
We received 17 non-confidential submissions on the proposed prudential standard CPS 234 Information Security:
Note on submissions
It is APRA's policy to publish all submissions on the APRA website unless the respondent specifically tells APRA in writing that all or part of the submission is to remain confidential. An automatically generated confidentiality statement in an email does not satisfy this purpose. If you would like only part of your submission to be confidential, you should provide this information marked as 'confidential' in a separate attachment.
Submissions may be the subject of a request for access made under the Freedom of Information Act 1982 (FOIA). APRA will determine such requests, if any, in accordance with the provisions of the FOIA. Information in the submission about any APRA-regulated entity that is not in the public domain and that is identified as confidential will be protected by section 56 of the Australian Prudential Regulation Authority Act 1998 and will therefore be exempt from production under the FOIA.