CPS 234: the intersection of information security and data privacy
CPS 234: Information security and data privacy
APRA has released a draft of the Prudential Practice Guide CPG 234 Information Security for consultation. This provides a reminder that the due date for compliance with Prudential Standard CPS 234 Information Security is 1 July 2019.
Information security guidance published
The aim of the guide is to provide assistance to APRA-regulated entities in maintaining and supervising information security across the enterprise. It will also provide useful guidance to other corporates seeking a best practice approach to cyber-security management.
CPS 234 requirements
The key requirements of CPS 234 are:
- Clear definition of internal responsibilities for cyber-security, starting at board level
- Cyber-security capability commensurate with the size and extent of the threats
- Controls to protect information assets and on-going testing of their effectiveness
- Notification to APRA of material cyber-security incidents.
It will be important, as with any information security framework, to have the appropriate technical measures, processes, policies and procedures in place. Our article on APRA CPS 234 Information Security provides further information on how to prepare. However, CPS 234 will have a broader impact.
Policy framework – opportunity to converge?
CPS 234 recommends a number of areas to address when updating an organisation’s information security policy. This will help the entity achieve wider compliance with CPS 234. For example, an updated policy should cover the identification and classification of security incidents, reporting and escalation guidelines, the preservation of evidence and an incident investigation process.
CPS 234 applies to material information security incidents. Many of these incidents will involve data being compromised. Often, an assessment whether that data includes personal information will be required. There is significant potential for the revised information security framework to overlap with other framework, notably Australia’s notifiable data breach scheme and the European Union’s General Data Protection Regulation (GDPR) which applies to many Australian organisations.
The challenge will be that an information security incident may require an assessment and notification under CPS 234, Australia’s Privacy Act and the GDPR with the threshold for notification and the timeframes varying under each of these regimes. This provides a good opportunity for entities to review the interaction between their internal policies and procedures relating to information security incidents and those relating to data and privacy breaches.
While not all information security incidents will need to be raised with the privacy and legal teams, spending the time to establish expectations and business rules about how to deal with an incident involving data privacy matters will be a valuable investment. Some of the issues that organisations will want to consider include:
- Who is responsible for determining whether the incident may involve personal information?
- What notification obligations may be triggered beyond CPS 234?
- When and how should legal professional privilege be used?
- How will the security team and the legal and privacy teams work together on the assessments when applying different tests and managing different notification obligations?
This requires more than a robust information security policy or data breach plan. Organisations should consider how the teams work together to share information at the right time and in the right way to allow these incidents to be assessed and managed properly.
Obligations under CPS 234 extend to information assets managed by or controlled by third party suppliers. This is not limited to outsourced material business activities covered under CPS 231 Outsourcing or SPS 231 Outsourcing.
Entities should assess their contracts and check it has the rights needed to meet its obligations. Areas of focus will include: maintenance of cyber-security controls, disclosure of security control design, adherence to the customer’s security policies, on-going testing or certification/assurance processes, rectification of identified weaknesses, and incident response plans and information sharing. Some contracts will require variation and/or re-negotiation.
Supplier contracts must comply with CPS 234 from the earlier of the next renewal date (after 1 July 2019) or 1 July 2020.
CPS 234 has stringent notification requirements for ‘material’ information security incidents, being an ‘incident that materially affects, or has the potential to materially affect, financially or non-financially, the entity of the interests of depositors, policy holders, beneficiaries or other customers’.
Such incident must be notified to APRA within 72 hours of becoming aware of the incident. In addition, the entity must notify APRA of any other incident that has been notified to other regulators anywhere in the world within the same 72 hour window (which may also trigger the need to notify other regulators such as the Office of the Australian Information Commissioner (OAIC) or a supervising authority under the GDPR).
The relatively short timeline makes it important that there are clear reporting obligations on any third party supplier and also that the supplier is required to meet the entity’s security incident response plan. As noted above, this is an area that would benefit by close convergence with any existing and applicable data privacy breach reporting regime.
Criticality and sensitivity
CPS 234 requires that the level of controls to be put in place should be commensurate to the criticality and sensitivity of the information assets under consideration. As such, an entity must consider criticality (the potential impact on the loss of availability of the information) and the sensitivity (the potential impact of a loss of confidentiality or integrity of the information) of each information asset. The impact should be assessed as it applies to the entity and it customers.
CPG 234 confirms that:
- assessment of criticality and sensitivity must extend to other systems that may not be critical or sensitive themselves but could be used to compromise critical or sensitive systems
- where an entity considers components on an aggregated basis then it should apply the criticality and sensitivity rating of the most critical or sensitive component.
This assessment will provide entities seeking to become compliant with a clear list of priorities for action.
If you would like further information regarding compliance with CPS 234, KPMG Law’s technology law specialists are able to advise, either on legal aspects or as part of a wider review in conjunction with KPMG’s broader CPS 234 team.
KPMG Australia acknowledges the Traditional Custodians of the land on which we operate, live and gather as employees, and recognise their continuing connection to land, water and community. We pay respect to Elders past, present and emerging.
©2023 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
For more detail about the structure of the KPMG global organisation please visit https://kpmg.com/governance.