Protecting customers personal information - the evolving compliance landscape

The insurance industry is the custodian of millions of customers personal infomation, including sensistive information.

Compliance protects what matters & this is no more apparent when considering how to safeguard customers personal information from cyber threats and bad actors.

The compliance landscape, in context of protecting customers personal information, is undergoing significant regulatory uplift.

It's important that the following regulatory changes & proposed regulatroy changes are considered when reviewing compliance and information security measures.

• CPS 230
• CPS 234
• Reforms to the Privacy laws
• Cyber Security package

APRA general insurers (including foreign general insurers, as defined) authorised under section 12 of the Insurance Act must comply with CPS 230 and CPS 234. Service suppliers (including underwriting agencies and TPAs) are caught through the monitoring requirements imposed on insurers. In addition, AFS Licensees (who are not APRA regulated insurers) must have an adequate risk management system that ensures the licensee explicitly identifes the risks they face and have measures in place to keep those risks to an acceptable minimum (refer RG 104). This extends to the licensees Authorised Representatives.

CPS 230

An APRA-regulated entity must manage its full range of operational risks, including but not limited to technology risk and data risk.

In managing technology risks, an APRA-regulated entity must monitor the age and health of its information assets and meet the requirements for information security in CPS 234.

An APRA-regulated entity must maintain a comprehensive service provider management policy. The policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements.

CPS 234

An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.

Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets.

An APRA-regulated entity must actively maintain its information security capability with respect to changes in vulnerabilities?and threats, including those resulting from changes to information assets or its business environment.

Reforms to the Privacy Laws

The Privacy and Other Legislation Amendment Bill 2024 was introduced to Parliament in Spetember 2024 and contains tranche 1 reforms:

• clarification that 'reasonable steps' in APP 11 Security of Personal Information includes technical and organisational controls
• children's privacy
• Further enhanced regulatory powers and civil penalties
• transparency for automated decision-making
• white-list for overseas data transfers

Tranche 1 reforms (date unknown but identified for consultation) include expanded scope of personal information, introduction of an overarching 'fair and reasonable' test for handling of personable information and expanded individual rights.

The Cyber Security Legislative Package

The Cyber Security Legislative Package will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, addressing legislative gaps to bring Australia in line with international best practice and take the next step to ensure Australia is on track to become a global leader in cyber security.

These measures will address gaps in current legislation to:

• mandate minimum cyber security standards for smart devices;
• introduce mandatory ransomware reporting for certain businesses to report ransom payments;
• introduce a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD); and
• establish a Cyber Incident Review Board.

The package will also progress and implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act).

These reforms will:

• clarify existing obligations in relation to systems holding business critical data;
• enhance government assistance measures to better manage the impacts of all hazards incidents on critical infrastructure;
• simplify information sharing across industry and Government;
• introduce a power for the Government to direct entities to address serious deficiencies within their risk management programs; and
• align regulation for the security of telecommunications into the SOCI Act.

Protecting what matters

Protecting customers personal information continues to be a critical focus for the general insurance industry. A significant regulatory uplift will require compliance arrangements for APRA regulated insurers, AFS Licensees and service providers to continually evolve to manage the challenges that the cyber world pose

[in the words of CPS 234]

'to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats'.