APRA Level Security Compliance
APRA Level Security Compliance: What you need to know about the new cloud and data security standards
2018 was a year of significant change in the world of data security compliance. From 25th May 2018, Europe’s General Data Protection Regulations (GDPR) came into effect which unified all current laws relating to data protection across Europe. Closer to home, Australia’s Notifiable Data Breach Scheme legislation became law on the 22nd February 2018 introducing new reporting guidelines and penalties for organisations governed by the Australian privacy act.
Following on from this legislation, in September 2018 the Australian Prudential Regulation Authority (APRA) updated their guidance on cloud computing services and on the 1st July 2019, will enforce a new prudential standard (CPS 234) to address information and cybersecurity for APRA related entities.
These standards and guidance apply to APRA regulated entities such as:
- Authorised deposit-taking institutions (ADI’s), including foreign ADI’s and non-operating holding companies, authorised under the Banking Act;
- General insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHC’s), and parent entities of Level 2 insurance groups;
- Life companies, including friendly societies, eligible foreign life insurance companies (EFLIC’s) and non-operating holding companies registered under the Life Insurance Act (registered life NOHC’s);
- Private health insurers registered under the PHIPS Act; and
- RSE licensees under the SIS Act in respect of their business operations.
CPS 234 is the first prudential standard from APRA that specifically addresses the protection of information and cybersecurity. It also extends to related third parties responsible for the management of information assets on behalf of APRA regulated entities.
This new standard sits alongside their updated guidance around the use of cloud computing services as APRA regulated entities are increasing their use of cloud-based platforms. Cloud-based platforms are increasingly used to manage information assets as well as enable digital innovation (such as payments technology), reduce operational costs and achieve greater operational efficiency. Research from HTM Market Intelligence[i] indicates that the global ICT market is set to grow by 5.7% with cloud computing expected to experience 18% growth.
What are the obligations under the new CPS 234 prudential standard?
Obligations for entities under CPS 234 include;
Roles and Responsibilities
The board of an APRA-regulated entity is ultimately responsible for information security. The board must ensure the entity maintains information security in a manner reflective of its size and extent of threats to its information assets and enables the continued sound operation of the entity.
The entity must identify security-related roles and responsibilities of the board, senior management, governing bodies and individuals responsible for decision-making, approval, oversight, operations and other information security functions.
Information Security Capability
An APRA-regulated entity must have information security capability which corresponds with the size and threats to its information assets and enables the continued sound operation of the entity.
Where a related or third party manages information assets, the APRA-regulated entity must assess the information security of that party ensuring that capability is commensurate with the potential consequences of an information security incident affecting those assets.
The information security capability must be maintained concerning changes in vulnerabilities and threats due to changes to information assets or its business environment.
Creating an information security policy framework
An information security policy framework must be maintained and provide direction on responsible parties who have an obligation to maintain information security.
Information asset identification and classification
Information assets must be classified based on criticality and sensitivity. These classifications must reflect the potential impact of an information security incident on the entity and the interests of depositors, policyholders, beneficiaries and customers.
Implementation of controls
Controls must be in place to protect information assets including those managed by a related or third party.
Testing of control effectiveness
A systematic testing program must be implemented to test the effectiveness of information security controls. These controls must be tested and conducted by skilled, independent specialists at least annually.
In the case of a related or third-party that undertake their own testing, the APRA regulated entity must assess that the nature and frequency of testing is effective to comply with the standard.
Robust mechanisms must be in place to detect and respond to information security incidents. These mechanisms must manage all relevant stages of an incident, from detection to post-incident review as well as escalation and reporting of incidents to the boards, governing bodies and individuals responsible for the management of security incidents.
Audit of the information security controls must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
Assurance must be provided by personnel who are appropriately skilled in providing such assurance.
APRA regulated entities must notify APRA as soon as possible (and no later than 72 hours) after becoming aware of an information security incident that has materially affected or has the potential to affect materially, financially or non-financially, the entity or the interest of depositors, policyholders, beneficiaries or other customers. Notification must also occur if an incident has been notified to other regulators, either in Australia or other jurisdictions.
If an information security control weakness is identified, the entity must notify APRA as soon as possible or no later than ten business days after it becomes aware of the weakness.
What does this all mean for APRA related entities?
Prudential standard CPS 234 comes into effect on the 1st July 2019, subject to any transitional arrangements. The new standard will increase the obligation of APRA regulated entities to ensure related third-parties satisfy the requirements under the new standard.
With cloud computing services, APRA has updated its information paper on Outsourcing involving cloud computing services warning entities to only enter into cloud computing service agreements where risks are adequately understood and managed and not just selected based on cost.
The updated paper also requires entities to be aware of the changes needed to organisational capability when adopting new cloud-based technology and expects entities to apply the appropriate amount of rigour to the planning process when transitioning from the current state to the new cloud-based environment. Business and technology strategies would typically inform this planning with consideration to the broader IT environment and operating model.
Where does IPSI stand with the new standard?
As a provider of secure independently certified cloud-based payment services to APRA regulated entities, IPSI welcomes this new standard and updates to the information paper on cloud computing.
IPSI has managed some of Australia’s largest PCI DSS security compliance and cloud-based security projects, encapsulating the secure processing and storage of sensitive customer financial data within Australia with clearly demarcated data sovereignty.
Having managed such projects for blue chip Corporation, and circa fifteen insurance brands the IPSI team welcomes the increased focus on the security of sensitive customer data.
IPSI’s services use state of the art AWS services that have achieved the highest levels of security certification including ISO 27001, ISO 27017, ISO 27018, ISO 9001, PCI DSS and SOC. Our services are all PCI DSS Level 1 security certified which represents a robust end-to-end compliance offering which is independently certified annually.
How can IPSI help companies achieve APRA level security compliance?
As a specialist provider of independently certified cloud-based payment and data security services, IPSI enables companies to reduce the complexity, costs, risks and lead times associated with such projects.
IPSI services and solutions address a diverse range of customer security considerations:
- Secure processing of sensitive customer financial data
- Secure storage of sensitive customer financial data in the cloud
- Data sovereignty within Australia
- Information asset ( PII and/or credit card data) scanning, identification, classification & security remediation
- Advanced tokenisation solutions with multi-bank processing
- Level 1 PCI DSS compliance
- APRA compliant notification processes
- APRA compliant service agreements/governance
- Reduced fraud risk and financial exposure across a range of channels
If you have any questions regarding IPSI’s payment or security services and how they may assist your compliance with APRA’s security standards, please email us at [email protected] or call us on 1300 975 630
[i] Cloud Computing in Insurance Report – Thematic Research, HTF Market Intelligence. 31st August 2018 accessed at https://www.marketwatch.com/press-release/cloud-computing-in-insurance-market-is-booming-with-amazon-ellie-mae-ibm-infosys-2018-08-31