Skip to content

Ultimate Governance, Risk &
Compliance  (GRC) Guides

When do businesses need to notify APRA?

 

AI-powered. Integrated content.
Unique Hub & Spoke architecture.

When do businesses need to notify APRA?

Businesses need to notify the Australian Prudential Regulation Authority (APRA) of cyber security incidents within 72 hours after they become aware of them. This requirement is set out in the ‘Prudential Standard CPS 234 – Information Security’, which is a set of guidelines developed by APRA to protect the financial system from cyber threats. The notification requirement applies to any threat that has the potential to materially affect, financially or non-financially, the entity or the interests of its customers. This includes threats that could result in the loss or theft of customer data, the disruption of services, or the manipulation of data or systems. It also applies to threats that have been notified to other regulators, either in Australia or other jurisdictions. When a business becomes aware of a cyber security incident, it must assess the impact of the threat and determine whether it needs to be reported to APRA. If the incident has the potential to cause serious harm to the business, its customers or the financial system, then it should be reported. Businesses should also consider any other obligations they may have to report the incident to other regulators or authorities. For example, if the incident involves the loss or theft of customer data, then the business may also be required to notify the Office of the Australian Information Commissioner (OAIC). In order to ensure that APRA is notified of a cyber security incident in a timely manner, businesses should have a process in place to identify and report incidents. This process should include a system for monitoring and assessing the impact of the incident, and for notifying the relevant authorities. Businesses should also ensure that they have adequate cyber security measures in place to protect their systems and data. This includes measures such as encryption, secure access controls, and regular security audits. By following the guidelines set out in CPS 234 and implementing robust cyber security measures, businesses can help to protect their customers and the financial system from cyber threats. By notifying APRA of any cyber security incidents that they become aware of, businesses can also help to ensure that the regulator is able to take appropriate action to protect the interests of customers and the financial system. .



6clicks is powered by AI and includes all the content you need.
Our unique 6clicks Hub & Spoke architecture makes it simple to use and deploy.

logo
logo
logo
logo
logo
logo

GET STARTED TODAY