Meet new finance and insurance sector regulations in Australia
The new CPS 234 regulation from the Australian Prudential Regulation Authority (APRA) introduces elevated information security management requirements for financial and insurance organisations.
Mandated organisations must implement information handling policies and technology controls to protect sensitive information and help them better understand the information they create and store.
The new regulation gives these organisations an opportunity to improve their foundational information security capabilities and establish accurate categorization of data at rest as well as at creation.
According to a 12-month insight report on Notifiable Data Breaches published by the Office of the Australian Information Commissioner (OAIC), the financial services sector reported the second-highest number of data breaches in 2019, just behind the health sector.
About 41% of those breaches were related to human error and 55% were attributed to malicious or criminal attacks.
Another report, the 2019 Financial Breach Report released by Bitglass, found that, worldwide, 60% of all leaked data last year was from financial services organizations.
Part of the reason for this vulnerability is that finance and insurance organisations handle a lot of extremely sensitive data, including bank account numbers, investment details, credit scores and credit card information, personal health information and more.
Because so much of the data at these organisations is highly sensitive, employees can accidentally initiate a breach simply by sending a file to an unauthorized recipient or leaving sensitive files on their computer desktop.
Scanning and reporting help companies define the problem of storing and using sensitive information, but neither capability offers a solution for how to protect it.
To ensure that your users abide by your information handling policies — and that the policies’ value is truly realised — your organization needs a broader approach.
Advanced technologies available now not only scan your data to help identify sensitive information but also automatically and accurately embed rich metadata tags into files, documents or email messages aligned with your organisation’s unique definition of “sensitivity.”
This capability allows you to establish initiatives aimed at meeting APRA’s CPS 234 regulation and can also become a foundational building block to an effective data protection strategy.
Regulations are strict
Under APRA CPS 234, your information handling policies must be in line with the size of your organisation and the level of sensitive data you generate, use and hold on company networks. You must also regularly test the controls you have put in place and provide evidence of the effectiveness of your implemented policies.
While most organisations likely want to reduce the potential of a data breach, the idea of developing and implementing a full-scale data security strategy, complete with data protection technologies and controls, might be daunting. Even getting a handle on the specific APRA CPS 234 standard requirements for your organization can be confusing.
However, noncompliance with APRA can result in substantial fines, potential legal risks, and damage to your organisation’s reputation.
Because consumer trust is key to success in the finance and insurance sectors, a data breach resulting from noncompliance could negatively affect customer and investor confidence in your business.
That’s why it’s critical to get on board.
How can you ensure APRA compliance?
To begin, your users need to understand the value of the data they work with day in and day out. And they need to develop best practices for handling sensitive information that become second nature.
Having a technology solution in place to help guide users is critical.
To cover your bases for APRA and various other security regulations, you need a broad solution to help identify personal and sensitive information, classify it, and protect it across your entire security ecosystem.
You need consistent, efficient protection throughout the data life cycle, whether it’s in transit or at rest, on site or in the cloud.
And, of course, you need to be able to prove compliance with privacy regulations such as APRA and others.
Titus solutions empower you to more efficiently manage all these dimensions of information security and, in concert with your existing cybersecurity infrastructure, achieve compliance with APRA CPS 234 and other data privacy regulations.
- Identify and classify assets across your organization, in transit and at rest
- Implement controls and alerts to guide employees when handling sensitive data
- Enhance your information security ecosystem, embedding rich metadata into files, documents and emails
- Enforce and enable your data handling policies using an automated solution
- Run ongoing testing for control effectiveness
- Conduct internal audits and generate reports to verify compliance