Banks, insurers, and super funds must maintain information security capability commensurate with threats. CyberHeed helps you demonstrate that capability - not just document it.
Prudential Standard CPS 234 Information Security was issued by the Australian Prudential Regulation Authority (APRA) and came into effect on 1 July 2019. It sets out minimum requirements for APRA-regulated entities to maintain information security capability commensurate with the size and extent of threats to their information assets, and commensurate with the criticality and sensitivity of those assets. It is not guidance - it is a binding prudential standard. Non-compliance is a supervisory matter.
CPS 234 applies to all APRA-regulated entities across the Australian financial services sector:
Banks, building societies, credit unions, and other deposit-taking institutions regulated by APRA. Every ADI operating in Australia must comply with CPS 234, regardless of size.
Licensed insurance companies must maintain information security capability appropriate to their risk profile. This includes the security of policyholder data, claims systems, and actuarial data.
Super funds managing retirement savings for millions of Australians. Given the volume and sensitivity of member data and financial assets, APRA expects robust information security from all RSE licensees.
Private health insurance providers regulated by APRA, holding sensitive health and claims data for millions of members. CPS 234 obligations apply equally to health insurers.
APRA takes a principles-based approach to CPS 234 supervision. Rather than prescribing specific controls, the standard requires entities to demonstrate capability commensurate with their risk profile:
CPS 234 does not specify which controls to implement. It requires capability, governance, and testing. Your organisation must determine the right controls for your risk profile and demonstrate they are effective.
The board is ultimately responsible for information security under CPS 234. Board members must be satisfied that the entity has adequate information security capability. This is personal accountability - not delegable.
Entities must notify APRA within 72 hours of becoming aware of a material information security incident. They must also notify APRA within 10 business days of becoming aware of a material information security control weakness that cannot be remediated in a timely manner.
CPS 234 is organised around seven key obligation areas. APRA's supervisory teams assess compliance across all seven during reviews, with particular focus on areas where the entity's risk profile is elevated.
Information Security Capability (CPS 234 Paragraphs 14-15) Maintain an information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity. This is the overarching requirement - capability must be proportionate to risk. An entity processing millions of transactions daily needs different capability than a small specialist insurer.
Policy Framework (CPS 234 Paragraphs 16-17) Maintain an information security policy framework commensurate with exposures to vulnerabilities and threats. The framework must be reviewed at least annually and provide direction on the responsibilities of all parties. Policies must be living documents - reviewed, updated, and enforced, not shelf-ware.
Information Asset Identification and Classification (CPS 234 Paragraphs 18-19) Classify information assets by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting the asset could affect the entity or the interests of depositors, policyholders, or fund members. Classification drives control requirements.
Implementation of Controls (CPS 234 Paragraphs 20-22) Implement controls to protect information assets commensurate with their criticality and sensitivity, and which are subject to a testing programme commensurate with the rate of change and risk. Controls without testing are assumptions. APRA expects evidence of both implementation and effectiveness.
Incident Management (CPS 234 Paragraphs 23-28) Maintain robust mechanisms to detect and respond to information security incidents in a timely manner. Establish plans to respond to material information security incidents. Notify APRA within 72 hours of becoming aware of a material incident and within 10 business days of a material control weakness.
Testing Control Effectiveness (CPS 234 Paragraphs 29-34) Systematically test the effectiveness of information security controls through a programme commensurate with the rate of change of vulnerabilities and threats, the criticality and sensitivity of assets, the consequences of incidents, the risks associated with exposure, and the frequency of testing. Internal audit must assess design and operating effectiveness.
Third-Party and Related Party Management (CPS 234 Paragraphs 35-36) Where information assets are managed by a related party or third party, the entity must evaluate the information security capability of that party commensurate with the potential consequences of an information security incident. The entity remains accountable - outsourcing does not outsource the obligation. Due diligence must be conducted before engagement and monitored throughout the relationship.
CyberHeed maps every CPS 234 obligation, captures your current capability, identifies gaps, and tracks remediation - with evidence that withstands APRA scrutiny.
SmartPrep guides your team through structured conversations covering each CPS 234 obligation. Information security capability, policy framework, asset classification, control implementation, incident management, testing programmes, and third-party management - AI captures your current state and identifies where capability falls short of APRA's expectations.
Designed by a team with 18 years of Australian financial regulation experience. We know what APRA expects because we've seen it from the regulatory side.
Upload evidence for each obligation. AI validates whether your documentation demonstrates the capability CPS 234 requires. Policy documents, asset registers, control testing reports, incident response procedures, third-party assessments - each validated against the specific obligation.
AutoMatch maps your existing security documentation to CPS 234 obligations automatically. If you already have ISO 27001 or Essential Eight evidence, much of it counts toward CPS 234.
CPS 234 compliance is continuous. Policies require annual review. Controls require testing commensurate with change and risk. Third-party capability requires ongoing assessment. CyberHeed tracks every recurring obligation with owners, deadlines, and evidence - so compliance is maintained, not rebuilt.
Board reporting is generated from your live compliance posture. When APRA requests evidence, it's current and comprehensive.
APRA's prudential framework includes several related standards that work together. CPS 234 focuses on information security, while CPS 230 addresses operational resilience and CPS 232 covers data risk management. Together they form a comprehensive risk management framework for regulated entities.
Effective July 2025. Covers business continuity, critical operations, service provider management, and testing obligations. Information security capability under CPS 234 directly supports operational resilience under CPS 230.
Addresses the management of data risk, including data governance, data quality, and data lifecycle management. Information asset classification under CPS 234 informs data risk management under CPS 232.
APRA's companion guidance to CPS 234. Not binding, but provides APRA's expectations on implementation. Covers governance, capability, policy, asset management, access control, and incident management in more detail.
CPS 234's principles-based requirements align closely with ISO 27001's management system approach. If you've built an ISMS, you have the governance foundation CPS 234 demands. CyberHeed maps controls across both frameworks automatically.
ISO 27001's management system clauses and Annex A controls provide the structured governance, risk assessment, access control, incident management, and supplier management that CPS 234 requires.
Essential Eight strategies directly demonstrate information security capability in the areas CPS 234 expects. Patch management, MFA, application control, and admin privilege management are exactly the controls APRA looks for.
NIST CSF's five functions provide a comprehensive cybersecurity programme structure. CPS 234's capability, detection, and response requirements map to NIST CSF Protect, Detect, and Respond functions.
Other frameworks: [Links to: cps-230.html], [Links to: iso-27001.html], [Links to: essential-eight.html], [Links to: nist-csf.html], [Links to: pci-dss.html], [Links to: desc-isr.html], [Links to: nca-ecc.html], [Links to: dfsa.html]
Built by a team with 18 years in Australian financial regulation. We know what APRA expects.
Book a Demo