Knowledge Article: Enhancing Data and Information Security in APRA-Regulated Entities

The Australian Prudential Regulation Authority (APRA) has established comprehensive standards and guidelines aimed at ensuring the security and integrity of data and information within the entities it regulates. This includes both Prudential Standard CPS 234 on Information Security and Prudential Practice Guide CPG 235 on Managing Data Risk.

CPS 234: Information Security

Introduced on July 1, 2019, CPS 234 mandates APRA-regulated entities to establish robust information security measures to protect against incidents, including cyber-attacks. The standard applies to a wide range of financial institutions, including banks, insurers, and superannuation entities, requiring them to:

·      Clearly define information security roles and responsibilities across their organisation.

·      Maintain an information security capability proportionate to the size and extent of threats.

·      Implement controls to protect information assets based on their criticality and sensitivity.

·      Systematically test the effectiveness of those controls.

·      Notify APRA promptly of material information security incidents.

This standard emphasises the Board’s ultimate responsibility for ensuring an entity’s information security, highlighting the need for senior management's active involvement in overseeing and ensuring compliance with these requirements.

CPG 235: Managing Data Risk

CPG 235 complements CPS 234 by offering guidance on managing data risk, focusing on ensuring the quality and integrity of data across its lifecycle. This guide suggests a systematic approach to data risk management, emphasising the importance of:

·      Defining an overarching data risk management framework that aligns with the entity’s

operational risk framework.

·      Adopting a principles-based approach to data risk management, with principles such as ensuring data access is granted based on business needs and automating data validation and cleansing where possible.

·      Assigning clear roles and responsibilities related to data management to ensure effective outcomes.

·      Regular assessment of data quality and the effectiveness of data risk management controls.

Key Takeaways for APRA-Regulated Entities

Both CPS 234 and CPG 235 underscore the critical importance of safeguarding information and data, given their role as fundamental assets within financial institutions. These regulations and guidelines encourage entities to adopt a proactive stance on information security and data risk management, with an emphasis on:

·      Establishing clear governance structures and accountability for data and information security.

·      Ensuring that data management practices are integrated within the broader risk management and operational frameworks.

·      Continuously assessing and improving data and information security practices in response to evolving threats and vulnerabilities.

By adhering to these standards and guidelines, APRA-regulated entities can enhance their resilience against information security incidents, protect sensitive data, and maintain the trust of their customers and stakeholders.