APRA’s prudential standard on information security
On 1 July 2019 the Australian Prudential Regulatory Authority (APRA) Prudential Standard CPS 234 Information Security comes into effect. Intended to make organisations more resilient against cyber-attack, it introduces new responsibilities and requirements for compliance. This means that your compliance plans should already be underway – or need to commence immediately.
APRA’s prudential standard on information security: what it means to enterprises in the finance and insurance industries.
Information security: Urgent.
APRA’s Prudential Standard CPS 234 is effective as of 1 July 2019 or, in the case of an APRA-regulated entity whose information assets are managed by a third party, 1 July 2020.
The Standard imposes four key requirements on APRA-regulated entities, specifically to:
- clearly define information-security related roles and responsibilities;
- maintain an information security capability commensurate with the size and extent of threats to their information assets;
- implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
- promptly notify APRA of material information security incidents.
Of particular note is the requirement to inform APRA within 24 hours of a security incident the affects, or may affect, “the entity or interests of depositors, policyholders or other customers”; and with five business days of “identifying material internal control weaknesses that the entity is not able to remediate in a timely manner”.
The clock: Ticking.
This means that all APRA-regulated entities must ensure that, by 1 July 2019, they have in place systems and protocols that will allow for manual and automatic logging of risk events; automatic notification of such events; and preparation of data and any other analysis required to notify APRA.
To be effective, such tools should be automated to the fullest extent possible, and any manual data entry, reporting, notification or other requirements should be streamlined to ensure regular and accurate reporting.
Ideally, this will take place through an established platform that is familiar to users and the IT teams supporting them. This will lead to faster return on investment, greater adoption, better data gathering and efficient system performance.
But there is little time to waste and the key question remains: is your business’s GRC solution ready? Assess your GRC posture with our checklist.
GRC: Pre-built.
DXC’s pre-built GRC solution lets you quickly move from reactive, siloed and inefficient manual processes to an automated actionable and proactive GRC program, implemented in weeks, not months.
DXC’s pre-built GRC solution makes policies fully digital; in the case of CPS 234, once loaded it becomes a simple matter to track actions and record incidents. And because the toolset includes powerful analytics, everything is visible on the dashboard.
Built around technologies pioneered by leading global ServiceNow partner TESM, which was recently acquired by DXC, the pre-built GRC solution uses continuous compliance to prove(and continue to prove) you are in good shape for internal and external GRC challenges. Built on DXC’s GRC Structural Foundation, a pre-built design and framework, it’s fast to deploy and simple to update, offering unprecedented clarity and confidence to your GRC activities.