India's data-protection statute. Governs processing of digital personal data, consent, data-principal rights, and breach reporting to the Data Protection Board.
Control
Obligation
Notice to Data Principal
Provide an itemised notice of personal data collected and the purpose of processing (s.5).
Consent and withdrawal
Obtain free, specific, informed consent and offer an equally easy means to withdraw it (s.6).
Purpose limitation
Process data only for the specified lawful purpose for which consent was given (s.6).
Data-principal rights
Enable rights to access, correction, erasure and grievance redressal (s.11 to s.13).
Grievance redressal or DPO
Publish a Data Protection Officer or grievance contact and a redressal mechanism (s.8(9), s.13).
Breach notification
Notify the Data Protection Board and affected principals of a personal data breach (s.8(6)).
Children's data
Obtain verifiable parental consent before processing a child's data; no tracking or targeted ads (s.9).
Retention and erasure
Erase personal data once the purpose is served and retention is no longer necessary (s.8(7)).
Reasonable security safeguards
Implement reasonable security safeguards to prevent a personal data breach (s.8(5)).
Data fiduciary obligations
Identify the Data Fiduciary and ensure accuracy and accountability for processing (s.8).
GDPR
EU, General Data Protection Regulation 2016/679
The EU's data-protection regulation. Establishes lawful bases, data-subject rights, accountability, DPIAs, and a 72-hour breach-notification duty.
Control
Obligation
Lawful basis for processing
Identify a lawful basis under Art.6 (consent, contract, legal obligation, legitimate interest, and so on).
Consent standard
Where relying on consent, it must be freely given, specific, informed and withdrawable (Art.7).
Data-subject rights
Facilitate access, rectification, erasure, portability, restriction and objection (Art.15 to Art.22).
Data Protection Officer
Appoint a DPO where required and publish contact details (Art.37 to Art.39).
Data Protection Impact Assessment
Carry out a DPIA for high-risk processing (Art.35).
72-hour breach notification
Notify the supervisory authority within 72 hours of becoming aware of a breach (Art.33 to Art.34).
Records of processing (ROPA)
Maintain records of processing activities (Art.30).
International transfers
Safeguard transfers outside the EEA via adequacy, SCCs or BCRs (Art.44 to Art.49).
Privacy by design and default
Implement data protection by design and by default (Art.25).
Storage limitation
Keep personal data no longer than necessary for the purpose (Art.5(1)(e)).
ISO/IEC 27001:2022
ISO, Information Security Management Systems
The international standard for an Information Security Management System (ISMS). Covers leadership, risk assessment, Annex A controls, and continual improvement.
Control
Obligation
ISMS scope and policy
Define the ISMS scope and an approved information security policy (cl.4 to cl.5).
Leadership and commitment
Demonstrate top-management commitment and assign security roles (cl.5).
Risk assessment and treatment
Operate a documented information security risk assessment and treatment process (cl.6, cl.8).
Access control
Restrict access to information and systems on least-privilege and need-to-know (A.5.15 to A.5.18).
Cryptography
Protect information using cryptographic controls and key management (A.8.24).
Incident management
Establish responsibilities and procedures for security incident response (A.5.24 to A.5.28).
Business continuity
Plan ICT readiness for business continuity, including RTO and RPO (A.5.29 to A.5.30).
Asset management
Maintain an inventory of assets and acceptable-use rules (A.5.9 to A.5.11).
Supplier security
Manage information security in supplier and third-party relationships (A.5.19 to A.5.23).
Awareness and training
Provide security awareness, education and training to personnel (A.6.3).
ISO/IEC 27701:2019
ISO, Privacy Information Management System (PIMS)
The privacy extension to ISO 27001. Adds privacy-specific controls for controllers and processors of personally identifiable information.
Control
Obligation
Controller and processor roles
Determine and document the organisation's role as PII controller or processor.
Purpose and lawful basis
Identify and record the lawful basis and specific purposes for processing PII.
Consent and choice
Obtain and record consent where required and provide a means to withdraw it.
PII principal rights
Provide mechanisms for access, correction, erasure and objection by PII principals.
Data minimisation and retention
Limit collection to what is necessary and define retention and disposal.
PII transfers
Record and safeguard transfers of PII across jurisdictions.
Privacy incident management
Handle privacy incidents and notify affected PII principals and authorities.
Processor and sub-processor agreements
Bind processors and sub-processors with privacy obligations in contracts.
SOC 2
AICPA, Trust Services Criteria (TSC)
An attestation over controls relevant to security, availability, processing integrity, confidentiality and privacy. Security (the common criteria) is mandatory; the others are optional categories.
Control
Obligation
Control environment (CC1)
Demonstrate commitment to integrity, governance oversight and defined responsibilities.
Risk assessment (CC3)
Identify, assess and manage risks to the achievement of objectives.
Monitoring activities (CC4)
Evaluate and communicate control deficiencies on an ongoing basis.
Logical and physical access (CC6)
Restrict logical and physical access through authentication and authorisation.
Change management (CC8)
Authorise, design, test and approve changes to infrastructure and software.
System operations (CC7)
Detect and respond to security events and incidents.
Availability (A1)
Maintain capacity, backups and recovery to meet availability commitments.
Confidentiality (C1)
Identify and protect confidential information through its lifecycle.
Privacy (P)
Collect, use, retain and dispose of personal information per the privacy notice.
PCI DSS 4.0
PCI SSC, Payment Card Industry Data Security Standard
The security standard for organisations that store, process or transmit cardholder data. Twelve requirements spanning network security, encryption, access control and monitoring.
Control
Obligation
Secure network and segmentation
Install and maintain network security controls and segment the cardholder data environment.
Protect stored cardholder data
Render stored account data unreadable and mask the PAN when displayed.
Encrypt transmission
Protect cardholder data with strong cryptography during transmission over open networks.
Vulnerability and malware management
Protect systems from malware and keep software patched.
Restrict access
Restrict access to cardholder data on need-to-know and assign unique IDs.
Multi-factor authentication
Require multi-factor authentication for access into the cardholder data environment.
Logging and monitoring
Log and monitor all access to system components and cardholder data.
Test security regularly
Run vulnerability scans and penetration tests on a defined schedule.
Information security policy
Maintain a policy that addresses information security for all personnel.
NIST CSF 2.0
NIST, Cybersecurity Framework
A risk-based cybersecurity framework organised around six functions: Govern, Identify, Protect, Detect, Respond and Recover.
Control
Obligation
Govern
Establish a cybersecurity risk-management strategy, roles and policy.
Identify
Maintain asset inventories and assess risks to systems and data.
Protect
Apply access control, data security, training and protective technology.
Detect
Continuously monitor and detect anomalies and security events.
Respond
Plan, communicate and carry out incident response and mitigation.
Recover
Maintain recovery plans and restore capabilities after an incident.
CCPA / CPRA
California, Consumer Privacy Act as amended by CPRA
California's consumer-privacy law. Grants rights to know, delete, correct and opt out of the sale or sharing of personal information.
Control
Obligation
Notice at collection
Inform consumers of the categories of personal information collected and the purpose.
Right to know and access
Honour requests to know and access the personal information held.
Right to delete
Honour verifiable deletion requests subject to exceptions.
Right to opt out of sale or sharing
Provide a clear means to opt out of the sale or sharing of personal information.
Right to correct
Allow consumers to correct inaccurate personal information.
Limit sensitive personal information
Let consumers limit the use and disclosure of sensitive personal information.
Non-discrimination
Do not discriminate against consumers who exercise their rights.
Service-provider contracts
Bind service providers and contractors with the required contract terms.
POSH Act 2013
India, Sexual Harassment of Women at Workplace Act, 2013
India's workplace law against sexual harassment. Requires a policy, an Internal Committee, a complaint process and annual reporting.
Control
Obligation
Policy and prohibition
Adopt and publish a policy prohibiting sexual harassment at the workplace.
Internal Committee
Constitute an Internal Committee with a Presiding Officer.
Committee composition
Include a senior woman, an external member and the required member count.
Complaint and inquiry process
Provide a written complaint process and a time-bound inquiry.
Timelines
Complete the inquiry within the statutory period (90 days).
Confidentiality
Keep the identity of the parties and proceedings confidential.
Annual report
File the annual report of cases with the District Officer.
Awareness and training
Conduct awareness and sensitisation programmes for employees.
UK GDPR / DPA 2018
UK, UK General Data Protection Regulation + Data Protection Act 2018
Post-Brexit UK data-protection law, largely mirrors EU GDPR but enforced by the ICO. Includes UK-specific lawful bases, the UK IDTA for international transfers, and FCA-aligned requirements for financial firms.
Control
Obligation
Lawful basis
Identify a lawful basis for processing under UK GDPR Art.6; document it in the ROPA.
UK data-subject rights
Enable rights to access, erasure, portability, restriction and objection under UK GDPR Arts.15–22.
ICO registration and DPO
Register with the ICO (unless exempt) and appoint a DPO where required.
72-hour breach report to ICO
Notify the ICO within 72 hours and affected individuals without undue delay (UK GDPR Art.33).
International transfers (UK IDTA / SCCs)
Use the UK IDTA or ICO-approved SCCs for transfers outside the UK (UK GDPR Art.46).
UK NIS Regulations 2018
Operators of essential services and DSPs must implement appropriate security measures and report incidents to the relevant NCA.
UK Cyber Essentials
Obtain Cyber Essentials (or Plus) certification if handling UK government contracts or personal data at scale.
NIS2 Directive
EU, Directive 2022/2555 on Network and Information Security
Mandatory cybersecurity law for EU essential and important entities (energy, transport, banking, health, digital infrastructure and more). Replaces NIS1; requires risk management, supply-chain security, incident reporting within 24/72 hours, and executive accountability.
Control
Obligation
Cybersecurity risk-management policy
Adopt a risk-based cybersecurity policy covering networks, systems and supply chain (Art.21).
Incident reporting — 24 h early warning
Submit an early warning to the national CSIRT within 24 hours and a full report within 72 hours (Art.23).
Supply-chain security
Assess and manage cybersecurity risks from suppliers and service providers (Art.21(2)(d)).
Business continuity and crisis management
Maintain BCP, DRP and crisis management procedures (Art.21(2)(c)).
Encryption and access control
Use encryption and multi-factor authentication for protecting systems (Art.21(2)(j)).
Management body accountability
Management bodies must approve, oversee and be trained on cybersecurity measures (Art.20).
EU AI Act
EU, Regulation (EU) 2024/1689 on Artificial Intelligence
Risk-tiered regulation of AI systems. Prohibited AI practices in force from Feb 2025; GPAI model obligations from Aug 2025; high-risk AI systems from Dec 2027. Applies to providers and deployers placing AI in the EU market.
Control
Obligation
Prohibited AI practices
Do not deploy cognitive manipulation, real-time biometric surveillance, social scoring or subliminal AI (Art.5). In force Feb 2025.
GPAI model obligations
General-purpose AI model providers must maintain technical documentation, copyright compliance and register with the EU AI Office (Art.51–55). In force Aug 2025.
High-risk AI system requirements
High-risk systems (Annex III categories) need conformity assessment, risk management, data governance and a human-oversight plan (Art.9–15). In force Dec 2027.
Transparency to users
Notify users when interacting with AI (chatbots, deep fakes) and make AI-generated content detectable (Art.50).
AI governance and documentation
Maintain an AI use policy, register high-risk systems in the EU database, and appoint an EU AI Act compliance contact.
HIPAA
US, Health Insurance Portability and Accountability Act 1996 (as amended)
Federal US law protecting Protected Health Information (PHI). Applies to covered entities (health plans, providers, clearinghouses) and their business associates. Requires Privacy Rule, Security Rule (administrative, physical, technical safeguards) and Breach Notification Rule compliance.
Control
Obligation
Privacy Rule — permitted uses
Use or disclose PHI only for treatment, payment, operations or with authorisation (45 CFR §164.502).
Security Rule — safeguards
Implement administrative, physical and technical safeguards to protect electronic PHI (45 CFR §164.312).
Business Associate Agreement
Execute a BAA with every vendor or contractor that creates, receives, maintains or transmits PHI on your behalf.
Breach notification
Notify affected individuals, HHS and (if >500 individuals) media within 60 days of discovering a breach (45 CFR §164.410).
Patient rights
Allow patients to access, amend and obtain an accounting of disclosures of their PHI.
LGPD
Brazil, Lei Geral de Proteção de Dados Pessoais (Lei 13.709/2018)
Brazil's comprehensive data-protection law, effective 2020 with administrative enforcement from 2021. ANPD-enforced; 10 lawful bases; data-subject rights; DPO (Encarregado) required; fines up to 2% of Brazil revenue (max R$50 million).
Control
Obligation
Lawful basis (base legal)
Identify one of the 10 lawful bases (Art.7) for processing personal data; consent must be express and specific.
Data-subject rights
Honour rights to access, correction, deletion, portability, and revocation of consent (Art.18).
Encarregado (DPO)
Appoint an Encarregado (DPO) and publish contact details on your website (Art.41).
Privacy Impact Assessment (RIPD)
Conduct a RIPD (DPIA equivalent) for high-risk processing upon ANPD request (Art.38).
International data transfer
Transfer data outside Brazil only to countries with adequate protection or under ANPD-approved safeguards (Art.33).
Breach notification to ANPD
Notify the ANPD and affected individuals within a reasonable period of a breach that may cause risk (Art.48).
Singapore PDPA 2012
Singapore, Personal Data Protection Act 2012 (as amended 2020/2021)
Singapore's data-protection law enforced by the PDPC. 2021 amendments introduced mandatory breach notification, expanded offences, and increased fines (up to S$1 million or 10% of annual turnover). Covers collection, use and disclosure of personal data.
Control
Obligation
Consent obligation
Obtain valid consent before collecting, using or disclosing personal data, unless an exception applies (s.13 PDPA).
Purpose limitation
Collect, use and disclose data only for purposes a reasonable person would consider appropriate (s.18).
Access and correction rights
Upon request, provide access to and correct inaccurate personal data (s.21–s.22).
Accuracy obligation
Make reasonable effort to ensure personal data collected is accurate and complete (s.23).
Protection obligation
Make reasonable security arrangements to prevent unauthorised access, use or disclosure (s.24).
Mandatory breach notification
Notify the PDPC and affected individuals within 3 days if a breach causes significant harm (s.26C–s.26D).
Data Protection Officer
Designate a DPO responsible for ensuring PDPA compliance (s.11(3)).
UAE PDPL
UAE, Federal Decree-Law No. 45 of 2021 on Personal Data Protection
UAE's federal data-protection law (effective 2022, executive regulations 2023). Supervised by the UAE Data Office. Applies to any processing in or targeting the UAE (excludes DIFC and ADGM which have their own regimes). Fines up to AED 20 million.
Control
Obligation
Lawful basis for processing
Process personal data only with consent, contractual necessity or another legal basis (Art.4–8).
Data-subject rights
Enable rights to access, correct, erase and transfer personal data (Art.14–18).
Controller obligations
Appoint a Data Protection Officer if processing high-risk or large-scale personal data (Art.10).
Breach notification (72 h)
Notify the UAE Data Office within 72 hours of a breach likely to harm data subjects (Art.11).
Cross-border transfer controls
Transfer data outside the UAE only to adequate jurisdictions or under approved safeguards (Art.22).
DIFC Data Protection Law 2020
Entities in DIFC comply with DIFC DP Law 2020 (DIFC Law 5 of 2020) and its amendments.
ADGM Data Protection Regulations 2021
Entities in ADGM comply with ADGM DPR 2021 (largely mirrors UK GDPR).
Saudi Arabia PDPL
Saudi Arabia, Personal Data Protection Law (Royal Decree M/19, 2021, amended 2023)
Saudi Arabia's PDPL (enforced by SDAIA). Applies to organisations processing data of Saudi residents. Regulations issued 2023; fines up to SAR 5 million; NCA ECC and CSCC frameworks govern cybersecurity in parallel.
Control
Obligation
Consent and sensitive data
Obtain explicit consent for processing; process sensitive data (health, financial, biometric) only under strict conditions (Art.5–6).
Data-subject rights
Provide rights to access, correction and deletion; respond within 30 days (Art.8–9).
Cross-border transfer
Obtain SDAIA approval before transferring personal data outside Saudi Arabia (Art.12).
Breach notification to SDAIA
Notify SDAIA of a breach without delay (Art.14); notify affected individuals if serious harm is likely.
NCA Essential Cybersecurity Controls (ECC)
Comply with NCA ECC-1:2018 controls governing governance, asset management, threat management and resilience.
NCA Cloud Cybersecurity Controls (CCC)
Cloud service providers and consumers in Saudi Arabia comply with NCA CCC-1:2020.
Qatar PDPPL
Qatar, Personal Data Privacy Protection Law No. 13 of 2016
Qatar's data-protection law overseen by the Ministry of Communications and Information Technology (MCIT). Covers collection, processing and transfer of personal data; requires a registered Data Controller; fines up to QAR 5 million.
Control
Obligation
Consent obligation
Obtain prior written or equivalent consent before processing personal data (Art.4).
Purpose specification
Process data only for specified, explicit and legitimate purposes (Art.5).
Data-subject rights
Grant access, correction and deletion rights; respond within 30 days (Art.11–12).
Controller registration
Register as a Data Controller with the MCIT before processing personal data (Art.7).
International transfer approval
Obtain MCIT approval or use approved safeguards for transfers outside Qatar (Art.17).
Bahrain PDPL
Bahrain, Personal Data Protection Law No. 30 of 2018
Bahrain's data-protection law enforced by the Personal Data Protection Authority (PDPA). One of the most comprehensive in the GCC. Applies to controllers processing personal data of Bahrain residents.
Control
Obligation
Lawful basis
Process personal data under a recognised lawful basis including consent, contract or legal obligation (Art.5).
Data-subject rights
Honour access, correction and objection rights; respond within 30 days (Art.12–15).
Data Protection Officer
Appoint a DPO for processing involving sensitive data or large-scale monitoring (Art.10).
Cross-border transfers
Transfer data outside Bahrain only to adequate countries or under binding safeguards (Art.25).
Breach notification
Notify the PDPA and affected individuals of a data breach as soon as practicable.
Australian Privacy Act / NDB
Australia, Privacy Act 1988 (Cth) including APPs and Notifiable Data Breaches scheme
Australia's federal privacy law applying to agencies and organisations with turnover > A$3 million (and others). 13 Australian Privacy Principles (APPs). The NDB scheme (Part IIIC) requires breach notification to the OAIC and affected individuals for eligible breaches.
Control
Obligation
APP 1 & 5 — Open and transparent / Notice at collection
Maintain an up-to-date privacy policy and notify individuals at the point of collection (APP 1, 5).
APP 3 — Solicitation of personal information
Collect only information reasonably necessary for the function; sensitive information requires consent.
APP 12 & 13 — Access and correction
On request, provide access to and correct inaccurate personal information (APP 12, 13).
APP 8 — Cross-border disclosure
Before disclosing personal information overseas, take reasonable steps to ensure the recipient complies with APPs (APP 8).
NDB — Notifiable Data Breaches
Notify the OAIC and affected individuals as soon as practicable if a data breach is likely to result in serious harm (Part IIIC, Privacy Act).
APP 11 — Security of personal information
Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access (APP 11).
APRA CPS 234
Australia, APRA Prudential Standard CPS 234 — Information Security
Mandatory cybersecurity standard for all APRA-regulated entities (banks, insurers, super funds). Requires defined information security roles, capability commensurate with threats, systematic testing, and 72-hour incident notification to APRA.
Control
Obligation
Information security roles
Board and management must define information security responsibilities; the board reviews the IS policy annually.
Information security capability
Maintain IS capability to protect information assets proportionate to the nature and extent of threats.
IS policy framework
Maintain a written IS policy framework reviewed and approved by the board at least annually.
Testing IS controls
Conduct systematic IS control testing at least annually; for critical systems, more frequently.
Notify APRA within 72 hours
Notify APRA within 72 hours of becoming aware of a material information security incident.
Third-party information security
Ensure that third parties managing information assets maintain IS controls commensurate with APRA standards.
POPIA
South Africa, Protection of Personal Information Act 4 of 2013 (effective 2021)
South Africa's data-protection law enforced by the Information Regulator. Eight conditions for lawful processing; responsible party and operator framework; fines up to ZAR 10 million and imprisonment for serious offences.
Control
Obligation
Eight conditions for lawful processing
Process personal information lawfully, fairly, purposefully, with consent, and meeting all eight conditions (Part B, Chapter 3).
Data-subject rights
Enable rights to access, correction, destruction and objection (Chapter 6).
Information Officer
Register and appoint an Information Officer (IO) or Deputy IO with the Information Regulator.
Breach notification
Notify the Information Regulator and affected data subjects of a security compromise as soon as reasonably possible (s.22).
Operator agreements
Bind operators (processors) by contract to the same processing conditions as the responsible party (s.21).
Transborder information flows
Transfer personal information outside South Africa only to an adequately protected jurisdiction or under binding safeguards (s.72).
Kenya Data Protection Act
Kenya, Data Protection Act No. 24 of 2019 (ODPC-enforced)
Kenya's data-protection law enforced by the Office of the Data Protection Commissioner (ODPC). Controllers and processors must register; fines up to KES 5 million or 1% of annual turnover. Broadly follows GDPR structure.
Control
Obligation
Registration with ODPC
Data controllers and processors with automated or large-scale processing must register with the ODPC (s.17).
Lawful processing
Process personal data only under a lawful ground (consent, contract, legal obligation, vital interests, public task, or legitimate interest) (s.30).
Data-subject rights
Enable rights to access, correction, erasure, restriction and portability (ss.26–31).
Data Protection Officer
Appoint a DPO for public bodies and entities processing large volumes of personal data (s.24).
Breach notification to ODPC
Notify the ODPC and affected data subjects within 72 hours of discovering a data breach (s.43).
Nigeria NDPA 2023
Nigeria, Nigeria Data Protection Act 2023 (NDPC-enforced); with NDPR 2019 as prior instrument
Nigeria's comprehensive data-protection law (signed June 2023), replacing the NDPR 2019. Enforced by the Nigeria Data Protection Commission (NDPC). Applies to Nigerian residents' data globally. Fines up to 2% of annual gross revenue or ₦10 million, whichever is higher.
Control
Obligation
Lawful basis for processing
Process personal data only under a lawful basis: consent, contract, legal obligation, vital interests, public task or legitimate interest (s.25).
Data-subject rights
Provide access, correction, deletion, restriction, portability and objection rights (ss.34–41).
Data Protection Officer
Appoint a DPO where processing is systematic, large-scale or involves sensitive data (s.33).
Data Protection Impact Assessment
Conduct a DPIA for high-risk processing activities (s.31).
Breach notification — 72 hours
Notify the NDPC within 72 hours and affected data subjects without undue delay (s.40).
Cross-border transfer
Transfer data outside Nigeria only to countries providing adequate protection or under approved safeguards (s.43).
EU NIS2 Directive
European Union, Directive (EU) 2022/2555; national transposition by October 17, 2024
NIS2 expands EU cybersecurity obligations to 'essential' and 'important' entities across 18 sectors. It mandates risk-based security measures, supply-chain security, management accountability, and incident notification within 24 hours (early warning) and 72 hours to national CSIRTs. Management bodies bear personal liability.
Control
Obligation
Cybersecurity governance
The management body must approve and oversee cybersecurity risk-management measures; managers may be held personally liable for infringements (NIS2 Art.20).
Incident notification — 24 h early warning / 72 h report
Notify the national CSIRT within 24 hours (early warning), 72 hours (full notification) and 1 month (final report) of a significant incident (Art.23).
Supply-chain security
Assess cybersecurity risks in the supply chain, evaluate direct suppliers' security practices, and include security requirements in supplier agreements (Art.21(2)(d)).
Registration with national authority
Essential and important entities must register with the competent national authority within 3 months of applicability (Art.27).
Vulnerability disclosure policy
Essential entities must maintain a policy for coordinated vulnerability disclosure; important entities are encouraged to adopt one (Art.21(2)(j)).
APRA CPS 234 (Information Security)
Australia, APRA Prudential Standard CPS 234 (effective 1 July 2019); guidance CPG 234
CPS 234 requires APRA-regulated entities (banks, insurers, superannuation funds) and their material ICT service providers to maintain information security capability commensurate with threats, classify information assets, test controls, and notify APRA within 72 hours of material incidents.
Control
Obligation
Information security capability
Maintain an information security capability commensurate with the size and extent of threats to information assets (CPS 234 §§13–14).
Information asset classification
Classify information assets — including those managed by third parties — by criticality and sensitivity (§§15–16).
Control effectiveness testing
Systematically test controls at least annually and after significant change; escalate identified gaps to the Board (§§21–23).
Third-party provider assurance
Assess and ensure third-party providers managing information assets maintain adequate controls; include CPS 234 obligations contractually (§§17–18).
APRA notification — 72 h material incident
Notify APRA within 72 hours of becoming aware of a material information security incident, and within 10 business days of a significant vulnerability (§§36–37).
Board oversight
The Board is accountable for ensuring adequate information security; must receive cybersecurity posture reporting at least annually (§§10–12).
US federal law for financial institutions (and, via FTC, non-bank financial companies). The Safeguards Rule requires a written information security programme, a qualified individual, an annual risk assessment and encrypted transmission of customer financial data.
Control
Obligation
Written information security programme
Maintain a written InfoSec programme with administrative, technical and physical safeguards (16 CFR §314.4).
Qualified individual
Designate a qualified individual to oversee, implement and enforce the security programme (16 CFR §314.4(a)).
Annual risk assessment
Conduct at least annual risk assessments to identify reasonably foreseeable threats to customer financial data.
Encryption of customer data
Encrypt customer financial data in transit and at rest (16 CFR §314.4(e)).
Breach notification — 30 days
Notify the FTC within 30 days of a security event affecting ≥500 customers (FTC Safeguards Rule amendment 2023).
Heuristic gap-finder for review, not legal advice or certification.