Understanding APRA CPS 234 Compliance for Australian Businesses

Written By Andrew Brown

For Australian financial institutions and other APRA-regulated entities, APRA CPS 234 compliance is a critical part of cybersecurity governance. This standard sets out how organisations must manage information security to protect themselves — and the broader financial system — from cyber threats.

What is APRA CPS 234?

CPS 234 is an information security prudential standard issued by the Australian Prudential Regulation Authority (APRA). It applies to:

  • Banks and credit unions
  • Insurers and superannuation funds
  • Other APRA-regulated institutions

The standard came into effect on 1 July 2019 and aims to ensure entities maintain information security resilience proportionate to the size and risk of their operations.

📘 Official text: APRA CPS 234

Why It Matters

Non-compliance with CPS 234 can lead to:

  • Regulatory intervention by APRA
  • Financial penalties
  • Increased audit and reporting requirements
  • Reputational damage

In 2023, APRA reinforced its commitment to stricter cybersecurity expectations through its Cybersecurity Strategy 2020–2024, warning that entities would be held accountable for failures in governance or incident response (source).

Core Requirements of CPS 234

1. Board Responsibility

The board must oversee and be accountable for the entity’s information security framework.

Cybersecurity must be integrated into overall governance and risk management.

2. Information Security Capability

Entities must maintain security capabilities that are commensurate with information assets and evolving threats.

3. Policy Framework

A formal set of information security policies must be implemented and regularly reviewed.

4. Controls Implementation

Entities must implement controls to protect information assets, both within and outside the organisation.

Includes cryptographic, physical, administrative, and technical controls.

5. Incident Management

Entities must detect and respond to information security incidents promptly.

Significant incidents must be reported to APRA within 72 hours.

6. Testing and Assurance

Regular testing of controls, incident response plans, and compliance with policies.

Independent reviews must be conducted periodically.

7. Third-Party Risk

Entities must assess and manage risks from third-party providers that handle their information assets.

Third parties must also comply with CPS 234 standards.

Who Must Comply?

All APRA-regulated entities

All third-party service providers who manage or access an entity’s information assets

This includes cloud providers, IT outsourcing firms, and software vendors. Entities must ensure their contracts reflect CPS 234 obligations and include reporting, audit, and control requirements.

How to Achieve CPS 234 Compliance

  • Conduct an information asset inventory
  • Perform risk assessments for each asset
  • Develop a cybersecurity roadmap
  • Train staff and integrate cyber into business continuity planning
  • Test systems regularly through penetration testing, tabletop exercises, and audits

Final Thoughts

APRA CPS 234 compliance is more than just a checkbox — it’s about ensuring financial system stability through cyber resilience. The cost of compliance is far lower than the cost of non-compliance, and the benefits extend beyond regulators: it protects customers, reputation, and core operations.

For APRA-regulated entities, now is the time to assess, improve, and demonstrate cybersecurity maturity.

Andrew Brown
Previous

Notifiable Data Breaches Scheme