The Australian Prudential Regulation Authority (APRA) has released Prudential Practice Guide CPG 235 Managing Data Risk (CPG 235) for ADIs, insurers and superannuation funds.
Subject to meeting APRA’s prudential requirements, a regulated entity has the flexibility to manage data risk in a manner that is best suited to achieving its business objectives.
The PPG targets areas where APRA continues to identify weaknesses as part of its ongoing supervisory activities.
Examples of data risk include:
(a) fraud due to theft of data;
(b) business disruption due to data corruption or unavailability;
(c) execution delivery failure due to inaccurate data; and
(d) breach of legal or compliance obligations resulting from disclosure of confidential data.
APRA envisages that data risk management principles could include:
(a) access to data is only granted where required to conduct business processes;
(b) data validation, correction and cleansing occur as close to the point of capture as possible;
(c) automation (where viable) is used as an alternative to manual processes;
(d) timely detection and reporting of data issues to minimise the time in which an issue can impact on the entity;
(e) assessment of data quality to ensure it is acceptable for the intended purpose; and
(f) design of the control environment is based on the assumption that staff do not know what the data risk management policies and procedures are.
In addition, a number of specific security management principles are also relevant.