Independent Review – Australian Prudential Regulation Authority (APRA)
On 7 November 2018, APRA released the final version of its prudential standard on information security management in the financial services industry. The standard was developed to increase APRA-regulated entities’ resilience against information security incidents (including cyber-attacks), and their ability to respond swiftly and effectively in the event of a breach.
Prudential Standard CPS 234 Information Security requires APRA-regulated entities to:
- clearly define information-security related roles and responsibilities;
- maintain an information security capability commensurate with the size and extent of threats to their information assets;
- implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
- promptly notify APRA of material information security incidents.
APRA has certified the paper resulting from APRA’s process and analysis to develop the information security requirements as having undertaken a process and analysis equivalent to a final Regulation Impact Statement (RIS) as set out in The Australian Government Guide to Regulation. The Office of Best Practice Regulation (OBPR) does not assess independent reviews or RIS-like processes that have been certified as such by agencies.
APRA was compliant with the Australian Government RIS requirements and consistent with best practice.
The agency estimates the average annual regulatory cost at $6.7m per annum over three years. The OBPR has agreed to the regulatory cost.