New APRA regulation means financial firms must take cybersecurity more seriously

A new regulation standard makes cyber security a board-level problem, but it also means all employees must be engaged and understand their role in keeping data safe and secure.

From this Monday 1st July 2019, board members of the financial institutions regulated under the Australian Prudential Regulation Authority (APRA) will have to take cyber security and personal data more seriously than they might have done up til now.

A set of new instructions, which may see a director or CEO scratch their heads as they realise their institution’s shortcomings, is rolled out in APRA’s CPS-234 Information Security Standard. It requires boards to ensure that their entity maintains a higher level of information security.

Minimise risk
The key objective of the standard is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets. For instance when cyber criminals use ‘phishing’ emails and SMS tricks to fool an employee, so they can compromise the organisation’s protection-wall and install malicious software, which then enables them to damage, hijack or steal confidential data. The regulation also includes information assets which are managed by related parties or third parties.

The new standard makes cyber security a board-level problem, but it also means all employees must be engaged and understand their role in keeping data safe and secure. Collaboration and engagement are key at all levels within an organisation.

This is precisely the area our ‘Humour against hacking’ campaigns are specialised in: engaging employees with quizzes and cute cartoons, which are easy to understand and at the same time entertaining to watch.

Protection of personal data
It’s important for an organisation to properly respect the rights and protection of the individual when it comes to personal data.

There have been many scandals about breaches of personal data in recent years. Stolen personal data has been used for all sorts of shady purposes and has become a commodity among cyber criminals.

The intention of the new APRA Standard is good, and it should be welcomed. It’s important that organisations everywhere prioritise cyber security now and into the future.

Directive requirements
“This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats,” the APRA Standard explains.

Under the new directive, an APRA-regulated business must do the following:

  • clearly define the information security-related roles and responsibilities of the
    board, senior management, governing bodies and individuals
  • Maintain an information security capability commensurate with the size and
    extent of threats to its information assets, and which enables the continued
    sound operation of the entity
  • Implement controls to protect its information assets commensurate with the
    criticality and sensitivity of those information assets, and undertake
    systematic testing and assurance regarding the effectiveness of those controls,
    and
  • Notify APRA of material information security incidents and data breaches within 72 hours – which is the same as the GDPR directive introduced in the European Union last year

 

REMEMBER – Hacking is Big Business