CPS 234 has been in force since July 2019. It is APRA's core information security standard and covers every entity APRA regulates. Six years of supervisory activity later, APRA's own reviews still find the same gaps coming up: control testing is not happening often enough, third-party risk is being assumed rather than assessed, and boards are attesting without knowing whether the underlying controls actually work.
Who CPS 234 applies to
CPS 234 applies to all APRA-regulated entities: authorised deposit-taking institutions (banks, credit unions and building societies), general insurers, life insurers, private health insurers, and superannuation fund trustees with an RSE licence.
If your organisation holds both an APRA licence and an AFS licence, CPS 234 and ASIC's s912A obligations apply at the same time. They are not alternatives. The same controls often satisfy both, but the attestation and governance structures CPS 234 requires go further than what ASIC typically prescribes.
Suppliers and service providers are also pulled in, even without being directly regulated. APRA requires regulated entities to assess and manage information security risks in their third-party arrangements. That requirement flows downstream.
The ten obligations
CPS 234 organises its requirements across ten areas.
- Information security capability. Maintain an information security capability commensurate with the size and nature of threats, including those arising from assets managed by third parties.
- Policy framework. A formal information security policy framework must be implemented and kept current.
- Information asset identification and classification. All information assets must be identified, including those held by third parties, and classified by criticality and sensitivity.
- Implementation of controls. Controls must be proportionate to the criticality and sensitivity of the assets they protect. Where a third party holds information assets, their controls must be assessed.
- Incident management. Processes for incident detection, response and recovery must be in place and functional.
- Testing programme. Controls must be tested through a systematic programme that includes and assessments, at a frequency reflecting the risk profile of the assets involved.
- Internal audit. The information security framework must be independently reviewed through internal audit or an equivalent function.
- Third-party and related-party management. Information security risks in third-party arrangements must be assessed and addressed, and contracts should include information security requirements.
- Notification to APRA. Notify APRA within 72 hours of becoming aware of a material information security incident.
- Board attestation. The board attests annually to APRA that information security controls are operating effectively and that material residual risks have been identified and accepted.
What APRA found when it looked
APRA's thematic review of CPS 234 compliance in 2020-2021 found widespread gaps. Control testing frequency was inadequate across most entities reviewed. Third-party vendor risk was not being properly assessed. Incident detection capability fell below expectation.
The board attestation process drew its own criticism. Many boards were completing attestations without adequate assurance that the underlying controls had been tested. An attestation based on management assertions rather than independent evidence does not satisfy the standard, and APRA said so plainly.
Through 2023-2024, APRA increased supervisory activity, including targeted reviews of operational resilience. Enforceable undertakings and licence conditions have been imposed on entities with material gaps. APRA's 2023 annual report named cyber among the top risks to the Australian financial system.
The 72-hour notification rule
The 72-hour clock starts when the entity becomes aware of a material incident, not when the full scope is understood. That distinction matters a lot operationally.
The notification process needs to exist before anything goes wrong. Who makes the APRA notification, how the decision on materiality is made and documented, and how that person is reached at 2am on a Sunday, these are not questions to answer during an incident.
Organisations that wait until they have the full picture before notifying are frequently already in breach. APRA expects early notification and accepts that it will be incomplete. The follow-up updates are part of the process.
Third-party risk: the most consistently missed obligation
Most organisations that go through a CPS 234 review can name their critical third-party relationships. Fewer have actually assessed the information security controls those parties apply to the data they hold. Fewer still have contracts that give them any visibility into those controls, let alone audit rights.
CPS 234 requires that the information security capability of third parties managing information assets be assessed, proportionate to the sensitivity and criticality of what is involved. That assessment cannot be skipped on the basis that the vendor is well known or has a 2 certificate.
Technology vendors, cloud providers, managed service providers and outsourced processing partners all fall within scope if they hold or process information assets covered by CPS 234. Their security posture becomes part of the regulated entity's risk picture.
CPS 234 and ASIC obligations: how they interact
For organisations regulated by both APRA and ASIC, the practical requirements overlap considerably. , patching, access controls, and testing all appear in both frameworks. The structural difference is that CPS 234 imposes a governance layer ASIC's s912A does not. Annual board attestation, an independent testing programme and formal third-party assessments are more prescriptive under CPS 234.
Most controls that satisfy CPS 234 will also satisfy ASIC's expectations. Aligning with the gives a practical technical baseline that maps to both, which avoids running two separate programmes.
An organisation genuinely compliant with CPS 234 will generally be meeting ASIC's cyber expectations as a byproduct. The documentation and governance structures CPS 234 requires are what ASIC looks for when assessing whether a firm has adequate risk management systems.
Frequently asked questions
What is the difference between CPS 234 and CPG 234?
CPS 234 is the prudential standard, which is mandatory. CPG 234 is the companion practice guide APRA published in June 2019. CPG 234 is not mandatory, but because APRA's supervisory expectations track it closely, treating it as authoritative guidance on implementation is the practical approach.
What counts as a material information security incident for APRA notification purposes?
APRA has not defined materiality precisely, but incidents likely to cause significant financial loss, affect a large number of customers, damage reputation, or compromise critical service delivery are generally treated as material. The judgement call needs to be documented and made conservatively. When there is genuine uncertainty, notify early and send a follow-up once you know more. Waiting for certainty is where organisations run into trouble.
How often does CPS 234 require penetration testing?
CPS 234 requires a systematic testing programme without specifying a fixed schedule. The frequency should reflect the risk profile of the assets being tested. APRA's thematic review findings point to annual penetration testing of critical systems as a floor for most entities. Higher-risk environments and systems that change frequently warrant more regular testing.
Does CPS 234 apply to technology vendors supplying APRA-regulated entities?
Not directly. The obligations sit with the regulated entity. But regulated entities must assess the information security controls of third parties managing their information assets and build security requirements into contracts. Suppliers holding or processing regulated data will increasingly be asked to provide evidence of their controls and to accept audit rights as a condition of doing business.
What happens if an APRA-regulated entity fails to meet CPS 234?
Enforceable undertakings, licence conditions and increased supervisory requirements have all been used against entities with material gaps. Serious or persistent failures can lead to capital adjustments or restrictions on business activity. APRA's public findings have called out board attestations completed without adequate assurance, and unaddressed third-party risk, as specific concerns.
IronSights works with financial services organisations on the technical controls and testing programmes that sit under CPS 234. A penetration test satisfies the CPS 234 testing obligation directly. The Fortify managed service covers the continuous monitoring, patching and incident response the standard requires.
