• A Robust Cyber Security Framework with corresponding controls clearly identified. Roles for Board Members, Senior Management including any Governing Bodies and Individuals with regards to Information Security must be clearly defined.
• All Information assets must be identified and clearly classified according to their risk criticality ratings with impact on loss and availability, risk sensitivity and impact of the loss of confidentiality and integrity
• Third parties must also be compliant with APRA CPS 234 information security to protect sensitive information.
• APRA regulated entities must continually test their systems to ensure that their security capability is compliant with the evolving cyber threat landscape
• Security incident response must have compliance with all formal incident plans and ensure a support strategy is in place for all incident cases and notify APRA of material information security incidents within 72 Hours.
• Mandatory Internal audit must be conducted on all design and operating systems effectiveness of information security controls.