Background

In March, this year, APRA released a discussion paper and draft proposed Prudential Standard CPS 234 Information Security (CPS 234/Standard) that will apply to all APRA-regulated entities, including superannuation funds, for consultation.

On or around 7 November, APRA issued t­­­­he finalised version of CPS 234, which will commence on 1 July 2019.

For superannuation fund trustees (Trustees), this will mean that the Trustee Board (Board) must ensure that the Trustee maintains information security of information in a manner which is commensurate with the size and extent of threats to its information assets, and which enables the Trustee’s continued sound operation.

So what does this mean?

It means that the Board must ensure that the Trustee’s information security systems are appropriate, sustainable and adaptable. Further, the Board will need to analyse and assess the Trustee’s information security system and those responsible for the decision-making, approval, oversight, operations and other information security functions in respect of that system.

In other words, the Board needs to take an active role in understanding the Trustee’s information security system and ensuring that it is fit-for-purpose.

Why does it mean this?

Unlike other superannuation prudential standards, CPS 234 defines the term “ensure”, thereby stating, in no uncertain terms, the standard of care required of Boards in complying with the Standard. The term “ensure” is defined to mean ‘to take all reasonable steps and make all reasonable enquiries as are appropriate for a board so that the board can determine, to the best of its knowledge, that the stated matter has been properly addressed’. Therefore, APRA is really looking at Boards to drive information security.

CPS 234 defines the following terms:

1. “information security” means ‘the preservation of an information asset’s confidentiality, integrity and availability’;
2. “information assets” are defined to mean information, IT including software, hardware and (soft copy and hard copy) data.
3. Therefore, both paper and electronic files must be secured; and
4. “confidentiality”, “integrity” and “availability” with their ordinary meanings as one would expect to apply under this Standard.

The term “information” is not defined; however, given the CPS 234’s purpose and the above definitions, our view is that all information – member data, employer data, information in respect of all contracts/investments/commercial arrangements, and internal Trustee information (employee records, for example) – must be subject to the Trustee’s information security system. However, because information assets are to be classified, certain information may be subject to more stringent security requirements than others.

So how does the Trustee and Board comply with CPS 234?

The Trustee will need to:

1. clearly define the information security-related roles and responsibilities of the Board and the Trustee;
2.  maintain an information security capability commensurate with the size and extent of threats to its information assets, which can also adapt to new threats and vulnerabilities as they arise. This also includes assessing the information security capabilities of third parties (including related parties) that may manage any of the Trustee’s information assets;
3. maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats, that also provides direction on the responsibilities of those charged with maintaining information security;
4. classify information assets by criticality (the potential impact of a loss of availability) and sensitivity (the potential impact of a loss of confidentiality or integrity);
5. have information security controls to protect its information assets that are implemented in a timely manner and that are commensurate with:
   1. vulnerabilities and threats to the information assets;
   2. the criticality and sensitivity of the information assets;
   3. the stage at which the information assets are within their life cycle; and
   4. the potential consequences of an information security incident;
6. evaluate the design and operating effectiveness of a third party’s information security controls;
7. have robust mechanisms in place to detect and respond to information security incidents in a timely manner;
8. annually test that its information security response plans to ensure that they remain effective and fit-for-purpose;
9. test the effectiveness of its information security controls through a systematic testing program commensurate with the relevant risks specific to the entity and its information and, where the information assets are managed by a third party, assess whether that testing is commensurate with the testing that would be required if the Trustee was conducting the test, itself;
10. escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner;
11. review the sufficiency of the testing program at least annually or on material change to information assets or the business environment;
12. ensure that its internal audit activities include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties and, where the information assets are managed by a third party, the internal audit must assess the information third party’s information security control assurance;
13. notify APRA as soon as possible, and no later than 72 hours, after experiencing an information security incident that:
    1. materially affects, or has the potential to materially affect, the Trustee or the interests of beneficiaries; or
    2. has been notified to other regulators (both in Australia and overseas); and
14. notify APRA as soon as possible and no later than 10 business days after identifying a material information security control weakness which the Trustee expects it will not be able to remediate in a timely manner.

Further requirements exist in respect of Trustees that may be part of a banking group.

Final Thoughts

APRA will shortly be undertaking consultation on an updated cross-industry prudential practice guide on information security, which will replace the current Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology. But until then, Trustees should start considering what information they hold, how they hold and secure it (and destroy it, over time) and what security requirements and processes they may need to ensure compliance with the Standard.