As of 1 July, all APRA-regulated entities, including banks and insurance companies, must adhere to a new standard for information security.
The CPS 234 standard requires services to have an appropriately sized information security capability, systematically test the security, notify APRA of incidents, and define the cybersecurity roles of board members and management within the business.
APRA Executive Board Member, Geoff Summerhayes, said there is a growing need for Australian financial services to have stronger cyber security.
“A significant information security breach at an APRA-regulated entity is almost certainly a question of when – not if,” he said.
“In a worst-case scenario, a major breach could even force a company out of business.
“By introducing CPS 234, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face.”
A stronger regulatory environment is welcomed by Graeme Pyper, who has nearly two decades of cyber security experience and is Regional Director for Cloud Protection and Licensing Activity at Thales.
“I think it’s very helpful that regulations have been adapted and improved over the last 12 to 18 months,” Pyper said.
“There has been lots of consultation with the industry as well and in general I’m very much in favour of regulation that improves security posture of organisations.”
For Pyper, the added accountability for board members and management signals a shift in how cyber security is viewed.
“Sometimes boards and business owners are too concerned with how to grow that business and end up trusting everybody to do the right thing.
“When the board is held responsible and individuals get singled out, then clearly the impetus is on them to ensure that their teams are doing the right thing.”
Data breaches represent a rising cost to Australian businesses and major breaches are happening with greater frequency.
Financial gain is the number one reason for data theft which makes banking data highly sought-after which, combined with the growing number of neo-banks operating in Australia, calls for greater guidelines in the sector.
APRA is the latest regulatory body to put in place measures to ensure greater data protection.
Since February last year, all entities regulated under the Australian Privacy Act have had to report data breaches to the Offices of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.