APRA CPS 234: Information Security for Australian Financial Services
CPS 234 is the Australian Prudential Regulation Authority’s binding information-security standard. In force since July 2019, it applies to every APRA-regulated entity — banks and other ADIs, general and life insurers, private health insurers, and superannuation trustees — and it puts information security squarely on the board’s shoulders. It is short, principles-based, and enforceable.
Who it applies to
If APRA regulates you, CPS 234 applies — there is no size threshold and no phase-in for smaller entities. Critically, it also reaches your supply chain: where your information assets are managed by a third party (a cloud provider, an outsourced administrator, a fintech partner), you remain responsible for evaluating that party’s information-security capability.
The core requirements
| Requirement | What it means in practice |
|---|---|
| Board accountability | The board is ultimately responsible for information security and must ensure the entity maintains resilience commensurate with threats. |
| Security capability | Maintain capability commensurate with the size and extent of threats — and reassess it when threats or the environment change. |
| Policy framework | A hierarchy of security policies that direct how information security is managed, proportionate to your exposure. |
| Asset identification & classification | Identify and classify information assets by criticality and sensitivity — including assets managed by third parties. |
| Controls | Implement controls proportionate to each asset’s criticality/sensitivity, at every lifecycle stage — and assess third-party controls too. |
| Systematic testing | Test control effectiveness through a systematic programme; escalate and remediate identified deficiencies. |
| Internal audit | Internal audit must review the design and operating effectiveness of information-security controls, including third parties’. |
| APRA notification | Notify APRA of material incidents and material control weaknesses (see below). |
The notification clocks
72 hours — notify APRA as soon as possible, and no later than 72 hours, after becoming aware of a material information-security incident (including incidents at third parties affecting your assets, and incidents notifiable to other regulators).
10 business days — notify APRA after identifying a material control weakness that you expect will not be remediated in a timely way.
These clocks demand a working incident-response process with clear materiality criteria — you cannot assess “material” at 2am during an incident if you haven’t defined it beforehand.
How CPS 234 fits with CPS 230 and ISO 27001
Since July 2025, CPS 230 (operational risk management) sits alongside CPS 234, extending expectations around critical operations, tolerance levels and service-provider management. In practice the two overlap heavily on third-party risk — one register of material service providers should serve both. And because CPS 234 is principles-based, most entities anchor their control set to ISO 27001 or the AU ISM and map CPS 234’s requirements onto it, rather than building a bespoke framework.
A pragmatic compliance sequence
- Build the information-asset inventory first — classification by criticality and sensitivity drives everything else.
- Define incident materiality criteria and rehearse the 72-hour notification path with a tabletop exercise.
- Map existing controls (ISO 27001 / Essential Eight / AU ISM) to CPS 234 requirements instead of starting fresh.
- Stand up a rolling control-testing programme with findings tracked to closure — APRA expects systematic, not ad hoc.
- Assess the security capability of every third party that manages your information assets, proportionate to criticality.
- Brief the board regularly — accountability is theirs, so the reporting must reach them in business terms.
The bottom line
CPS 234 is deliberately short — around a dozen pages — but it is enforceable, board-level, and supply-chain-aware. Treat it as an assurance overlay on a solid control framework: inventory your assets, test your controls on a schedule, keep evidence, and make sure the board genuinely owns the outcome.
Manage CPS 234 alongside every other framework
Cyber Horizon maps APRA CPS 234 into a shared control library with ISO 27001, Essential Eight and 70+ other frameworks — one asset register, one testing programme, evidence that counts everywhere.
Book a Demo