The Australian Prudential Regulation Authority (APRA) has finalised a new Information Security Prudential Standard (CPS 234) coming into effect on 1 July 2019.  CPS 234 will apply to all APRA regulated entities, including insurers. The purpose of CPS 234 is to ensure that an APRA regulated entity has measures in place to be resilient against information security incidents, including cyber-attacks.

Why introduce a new prudential standard?

The release of CPS 234 follows a consultation and development process that began in March 2018. The rationale for a new prudential standard is that information security attacks continue to increase in frequency, sophistication and impact.  Vulnerabilities in information security have the potential to impact the stability of the banking, insurance and superannuation industries.

APRA has also stated that information security is currently an industry-wide weakness and heightened area of risk.  Accordingly, the new information security prudential standard is a high priority.  Now that CPS 234 has been finalised, APRA plans to introduce an operational risk management prudential standard and revise business continuity management and outsourcing prudential standards.

What does CPS 234 require insurers to do?

CPS 234 requires insurers to maintain information security capability commensurate with the size and extent of threats to information assets. This involves:

  1. classifying all information assets by criticality and sensitivity;
  2. implementing information security controls commensurate with vulnerability, criticality, sensitivity, life-cycle and potential consequences of an incident;
  3. robust mechanisms to detect and respond to information security incidents in a timely manner; and
  4. testing through a systematic testing program conducted by skilled and functionally independent specialists.

Interestingly, CPS 234 does not expressly require APRA regulated entities to have cyber insurance. However, cyber insurance can play an important role in an entity’s information security strategy.

Is CPS 234 different to privacy legislation?

While insurers operating in Australia already need to comply with the Privacy Act 1988 (Cth) and some may also need to comply with the GDPR, CPS 234 is different. Privacy legislation focuses on collection, storage, disclosure and use of personal information. However, CPS 234 applies to the protection of all “information assets”.  This includes personal information, commercial information, software, hardware and data.  CPS 234 also clarifies the role of the board, senior management and individuals at an APRA regulated entity such as an insurer.

The purpose of CPS 234 is to ensure that an APRA regulated entity adequately addresses information security risks through appropriate information security capability and controls. As a result, the likelihood and impact of information security incidents is minimised.  For example, information security incidents have the potential to take critical network infrastructure offline for extended periods and expose highly confidential information.

What if a related party or third party holds the information?

CPS 234 requires insurers to assess the information security capability of that other party, having regard to the potential consequences of an information security incident affecting those assets.  Currently, CPS 231 (Outsourcing) already imposes obligations on insurers who outsource material business activities. However, the new CPS 234 applies to all information assets managed by related or third parties, regardless of whether they are material business activities or not.

What are the notification obligations in CPS 234?

Insurers are required to notify APRA as soon as possible and no later than 72 hours after becoming aware of an information security incident that materially affects, or has the potential to materially affect, the entity or the interests of depositors, policyholders, beneficiaries or other customers.

The time-frame to notify APRA has been increased to 72 hours from 24 hours, which was the proposal set out in the draft standard.  This change acknowledges that regulated entities will need appropriate time to properly assess an information security incident and determine how to deal with the issue.

Insurers are also required to notify APRA as soon as possible and no later than 10 business days after becoming aware of a material information security control weakness that it cannot remedy in a timely manner.  This time-frame has also been doubled from the 5 business days proposed in the draft standard.

What should insurers do?

Given that information security is a high priority for APRA, a short implementation time-frame has been adopted.  CPS 234 will come into force on 1 July 2019.  However, for information assets managed by a third party, CPS 234 will only apply to those information assets from the earlier of the next renewal date of the third party contract or 1 July 2020.

Insurers should:

  1. update their information security policies, procedures and controls to comply with CPS 234;
  2. revisit the adequacy of information security controls;
  3. review contracts with service providers, whether it involves a material business obligation or not;
  4. ensure that their information assets are classified appropriately based on their criticality and sensitivity; and
  5. undertake systematic testing program of their information security controls.