Banks, insurers, and super funds must maintain information security capability commensurate with threats. CyberHeed helps you demonstrate that capability - not just document it.
Prudential Standard CPS 234 Information Security was issued by the Australian Prudential Regulation Authority (APRA) and came into effect on 1 July 2019. It sets out minimum requirements for APRA-regulated entities to maintain information security capability commensurate with the size and extent of threats to their information assets, and commensurate with the criticality and sensitivity of those assets. It is not guidance - it is a binding prudential standard. Non-compliance is a supervisory matter.
CPS 234 applies to all APRA-regulated entities across the Australian financial services sector:
Banks, building societies, credit unions, and other deposit-taking institutions regulated by APRA. Every ADI operating in Australia must comply with CPS 234, regardless of size.
Licensed insurance companies must maintain information security capability appropriate to their risk profile. This includes the security of policyholder data, claims systems, and actuarial data.
Super funds managing retirement savings for millions of Australians. Given the volume and sensitivity of member data and financial assets, APRA expects robust information security from all RSE licensees.
Private health insurance providers regulated by APRA, holding sensitive health and claims data for millions of members. CPS 234 obligations apply equally to health insurers.
APRA takes a principles-based approach to CPS 234 supervision. Rather than prescribing specific controls, the standard requires entities to demonstrate capability commensurate with their risk profile:
CPS 234 does not specify which controls to implement. It requires capability, governance, and testing. Your organisation must determine the right controls for your risk profile and demonstrate they are effective.
The board is ultimately responsible for information security under CPS 234. Board members must be satisfied that the entity has adequate information security capability. This is personal accountability - not delegable.
Entities must notify APRA within 72 hours of becoming aware of a material information security incident. They must also notify APRA within 10 business days of becoming aware of a material information security control weakness that cannot be remediated in a timely manner.
CPS 234 is organised around eight obligation areas spanning paragraphs 13 to 36. APRA's supervisory teams assess compliance across all areas during reviews, with particular focus on areas where the entity's risk profile is elevated.
Roles and Responsibilities (CPS 234 Paragraphs 13–14) The Board is ultimately responsible for the information security of the entity and must ensure the entity maintains information security in a manner commensurate with the size and extent of threats (paragraph 13). An APRA-regulated entity must clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions (paragraph 14).
Information Security Capability (CPS 234 Paragraphs 15–17) Maintain an information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity (paragraph 15). Where information assets are managed by a related or third party, assess the information security capability of that party commensurate with the potential consequences of an incident affecting those assets (paragraph 16). Actively maintain information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or the business environment (paragraph 17).
Policy Framework (CPS 234 Paragraphs 18–19) Maintain an information security policy framework commensurate with exposures to vulnerabilities and threats (paragraph 18). The framework must provide direction on the responsibilities of all parties who have an obligation to maintain information security — including Board, senior management, governing bodies, staff, contractors, related parties, third parties and customers (paragraph 19).
Information Asset Identification and Classification (CPS 234 Paragraph 20) Classify information assets, including those managed by related parties and third parties, by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting an asset has the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers.
Implementation of Controls (CPS 234 Paragraphs 21–22) Implement information security controls to protect information assets — including those managed by related and third parties — that are commensurate with vulnerabilities and threats, the criticality and sensitivity of the assets, their lifecycle stage, and the potential consequences of an incident (paragraph 21). Where information assets are managed by a related or third party, evaluate the design of that party's information security controls that protect those assets (paragraph 22).
Incident Management (CPS 234 Paragraphs 23–26) Maintain robust mechanisms to detect and respond to information security incidents in a timely manner (paragraph 23). Maintain plans to respond to information security incidents that the entity considers could plausibly occur (paragraph 24). Plans must cover all relevant stages from detection through to post-incident review, and include escalation and reporting to the Board and other governing bodies responsible for incident management and oversight (paragraph 25). Annually review and test those response plans to ensure they remain effective and fit-for-purpose (paragraph 26).
Testing Control Effectiveness (CPS 234 Paragraphs 27–31) Test the effectiveness of information security controls through a systematic testing programme. The nature and frequency of testing must be commensurate with the rate of change of vulnerabilities and threats, the criticality and sensitivity of the asset, the consequences of an incident, risks associated with exposure to environments where the entity cannot enforce its information security policies, and the materiality and frequency of change to information assets (paragraph 27). Where information assets are managed by a related or third party and the entity relies on that party's testing, assess whether the nature and frequency of that testing meets the same criteria (paragraph 28). Testing must be conducted by appropriately skilled and functionally independent specialists (paragraph 30). The sufficiency of the testing programme must be reviewed at least annually or when there is a material change to information assets or the business environment (paragraph 31).
Internal Audit (CPS 234 Paragraphs 32–34) Internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties (paragraph 32). This assurance must be provided by personnel appropriately skilled in information security (paragraph 33). Where an information security incident affecting third-party managed assets has the potential to materially affect the entity or its customers, and internal audit intends to rely on the third party's assurance, internal audit must assess that assurance (paragraph 34).
APRA Notification (CPS 234 Paragraphs 35–36) Notify APRA as soon as possible and no later than 72 hours after becoming aware of a material information security incident (paragraph 35). Notify APRA as soon as possible and no later than 10 business days after becoming aware of a material information security control weakness that the entity expects it will not be able to remediate in a timely manner (paragraph 36).
CyberHeed maps every CPS 234 obligation, captures your current capability, identifies gaps, and tracks remediation - with evidence that withstands APRA scrutiny.
SmartPrep guides your team through structured conversations covering each CPS 234 obligation. Information security capability, policy framework, asset classification, control implementation, incident management, testing programmes, and third-party management - AI captures your current state and identifies where capability falls short of APRA's expectations.
Designed by a team with 18 years of Australian financial regulation experience. We know what APRA expects because we've seen it from the regulatory side.
Upload evidence for each obligation. AI validates whether your documentation demonstrates the capability CPS 234 requires. Policy documents, asset registers, control testing reports, incident response procedures, third-party assessments - each validated against the specific obligation.
AutoMatch maps your existing security documentation to CPS 234 obligations automatically. If you already have ISO 27001 or Essential Eight evidence, much of it counts toward CPS 234.
CPS 234 compliance is continuous. Policies require annual review. Controls require testing commensurate with change and risk. Third-party capability requires ongoing assessment. CyberHeed tracks every recurring obligation with owners, deadlines, and evidence - so compliance is maintained, not rebuilt.
Board reporting is generated from your live compliance posture. When APRA requests evidence, it's current and comprehensive.
APRA's prudential framework includes several related standards that work together. CPS 234 focuses on information security, while CPS 230 addresses operational resilience and CPS 232 covers data risk management. Together they form a comprehensive risk management framework for regulated entities.
Effective July 2025. Covers business continuity, critical operations, service provider management, and testing obligations. Information security capability under CPS 234 directly supports operational resilience under CPS 230.
CPS 232 was APRA's Prudential Standard for Business Continuity Management, covering BCM policy, business impact analysis, business continuity plans, recovery objectives, testing, and APRA notification. It was revoked on 1 July 2025 and its requirements have been consolidated into CPS 230 as part of the operational resilience framework. Entities that have transitioned to CPS 230 meet their BCM obligations under that standard.
APRA's companion guidance to CPS 234. Not binding, but provides APRA's expectations on implementation. Covers governance, capability, policy, asset management, access control, and incident management in more detail.
Built by a team with 18 years in Australian financial regulation. We know what APRA expects.
Book a Demo