APRA has released updated prudential guidance on managing information security risks, including cyber-crime. The updated Prudential Practice Guide, CPG 234 Information Security will assist regulated entities to embed and comply with the requirements of APRA’s new cross-industry prudential standard, CPS 234 Information Security, which came into force on 1 July 2019.

CPS 234 requires an APRA-regulated entity to notify APRA of certain information security
incidents and material information security control weaknesses.

CPG 234 sets out key information a Board could consider in relation to its responsibilities under CPS 234.

Services provided by third parties

APRA has made the following observations about services provided by third parties:

• APRA expects that a regulated entity will assess the information security capability of all third
  parties that manage information assets on its behalf, commensurate with the potential
  consequences of an information security incident affecting those assets. APRA does not
  consider it sufficient for a regulated entity to rely on the fact that a third party may be subject
  to some form of regulatory oversight as being an indicator that the information security
  capability of that third party is automatically commensurate with the size and extent of threats
  to an entity’s information assets, and would therefore enable the continued sound operation
  of the entity.
• When the third party engages another service provider to deliver an end-to-end service, additional vulnerabilities and threats are introduced. Under such circumstances, APRA’s expectation is that an APRA-regulated entity would take reasonable steps to satisfy itself that the third party has sufficient information security capability to manage the additional threats and vulnerabilities resulting from such arrangements.