Cyber Horizon
Back to Blog
APRA CPS 234Financial ServicesAPAC

APRA CPS 234: Information Security for Australian Financial Services

22 June 2026·8 min read·Cyber Horizon Team

CPS 234 is the Australian Prudential Regulation Authority’s binding information-security standard. In force since July 2019, it applies to every APRA-regulated entity — banks and other ADIs, general and life insurers, private health insurers, and superannuation trustees — and it puts information security squarely on the board’s shoulders. It is short, principles-based, and enforceable.

Who it applies to

If APRA regulates you, CPS 234 applies — there is no size threshold and no phase-in for smaller entities. Critically, it also reaches your supply chain: where your information assets are managed by a third party (a cloud provider, an outsourced administrator, a fintech partner), you remain responsible for evaluating that party’s information-security capability.

The core requirements

RequirementWhat it means in practice
Board accountabilityThe board is ultimately responsible for information security and must ensure the entity maintains resilience commensurate with threats.
Security capabilityMaintain capability commensurate with the size and extent of threats — and reassess it when threats or the environment change.
Policy frameworkA hierarchy of security policies that direct how information security is managed, proportionate to your exposure.
Asset identification & classificationIdentify and classify information assets by criticality and sensitivity — including assets managed by third parties.
ControlsImplement controls proportionate to each asset’s criticality/sensitivity, at every lifecycle stage — and assess third-party controls too.
Systematic testingTest control effectiveness through a systematic programme; escalate and remediate identified deficiencies.
Internal auditInternal audit must review the design and operating effectiveness of information-security controls, including third parties’.
APRA notificationNotify APRA of material incidents and material control weaknesses (see below).

The notification clocks

72 hours — notify APRA as soon as possible, and no later than 72 hours, after becoming aware of a material information-security incident (including incidents at third parties affecting your assets, and incidents notifiable to other regulators).

10 business days — notify APRA after identifying a material control weakness that you expect will not be remediated in a timely way.

These clocks demand a working incident-response process with clear materiality criteria — you cannot assess “material” at 2am during an incident if you haven’t defined it beforehand.

How CPS 234 fits with CPS 230 and ISO 27001

Since July 2025, CPS 230 (operational risk management) sits alongside CPS 234, extending expectations around critical operations, tolerance levels and service-provider management. In practice the two overlap heavily on third-party risk — one register of material service providers should serve both. And because CPS 234 is principles-based, most entities anchor their control set to ISO 27001 or the AU ISM and map CPS 234’s requirements onto it, rather than building a bespoke framework.

A pragmatic compliance sequence

  • Build the information-asset inventory first — classification by criticality and sensitivity drives everything else.
  • Define incident materiality criteria and rehearse the 72-hour notification path with a tabletop exercise.
  • Map existing controls (ISO 27001 / Essential Eight / AU ISM) to CPS 234 requirements instead of starting fresh.
  • Stand up a rolling control-testing programme with findings tracked to closure — APRA expects systematic, not ad hoc.
  • Assess the security capability of every third party that manages your information assets, proportionate to criticality.
  • Brief the board regularly — accountability is theirs, so the reporting must reach them in business terms.

The bottom line

CPS 234 is deliberately short — around a dozen pages — but it is enforceable, board-level, and supply-chain-aware. Treat it as an assurance overlay on a solid control framework: inventory your assets, test your controls on a schedule, keep evidence, and make sure the board genuinely owns the outcome.

Manage CPS 234 alongside every other framework

Cyber Horizon maps APRA CPS 234 into a shared control library with ISO 27001, Essential Eight and 70+ other frameworks — one asset register, one testing programme, evidence that counts everywhere.

Book a Demo