Overview
APRA Prudential Standard CPS 234 (Information Security) is a legally binding prudential standard issued by the Australian Prudential Regulation Authority. Effective since July 2019, it requires APRA-regulated entities to maintain an information security capability commensurate with the size and extent of threats to their information assets. CPS 234 applies to all APRA-regulated entities including authorized deposit-taking institutions (banks, credit unions, building societies), general and life insurance companies, private health insurers, and registrable superannuation entities.
Key Requirements
| Requirement | CPS 234 Reference | Description |
|---|---|---|
| Board Responsibility | Para 15 | Board is ultimately responsible for information security |
| Information Security Capability | Para 16-17 | Maintain capability commensurate with threats, including resources and funding |
| Policy Framework | Para 18 | Maintain an information security policy framework aligned to exposures |
| Information Asset Classification | Para 19-20 | Classify and maintain a register of information assets by criticality and sensitivity |
| Security Controls | Para 21-25 | Implement controls proportionate to asset criticality, regularly review and test effectiveness |
| Incident Management | Para 26-28 | Detect, report, and respond to information security incidents |
| Third-Party Security | Para 29-34 | Evaluate third-party information security capability and monitor ongoing compliance |
| Internal Audit | Para 35-36 | Ensure internal audit reviews the effectiveness of information security controls |
| APRA Notification | Para 28 | Notify APRA of material information security incidents within 72 hours |
Information Security Capability
CPS 234 requires that your information security capability is commensurate with the size and extent of threats to your information assets. This means your security function must scale with your risk profile. APRA looks for adequately skilled and experienced personnel, sufficient resources and funding approved by the Board, clearly defined roles and responsibilities with appropriate segregation of duties, and a governance structure that enables effective oversight. The Board must be actively involved and must approve the entity's information security policy and evaluate the overall effectiveness of the program at least annually.
Implementation Checklist
- Establish Board oversight of information security with annual policy review and approval
- Classify all information assets based on criticality and sensitivity with a maintained asset register
- Implement security controls proportionate to the criticality and sensitivity of each information asset class
- Conduct security control testing through an independent testing program at least annually
- Establish a comprehensive incident detection, escalation, and response framework
- Notify APRA of material information security incidents within 72 hours
- Evaluate information security capability of all third parties managing critical or sensitive information assets
- Ensure service provider contracts include security requirements, audit rights, and breach notification obligations
- Maintain adequate segregation of duties between information security management and IT operations
- Ensure internal audit provides independent assurance on information security effectiveness
- Review and update the information security policy framework when there are material changes in risk
Third-Party Risk Management
CPS 234 places strong emphasis on third-party information security. Before engaging a third party to manage information assets, entities must evaluate the provider's information security capability and conduct ongoing monitoring. Where information assets are managed by a related party or third party, the entity must assess whether the controls in place are consistent with CPS 234 requirements. The entity retains full accountability for information security even when activities are outsourced. Internal audit coverage must extend to third-party arrangements.
APRA Examination Focus Areas
- Based on APRA's published insights from CPS 234 reviews, common areas of concern include:
- Insufficient Board and senior management engagement with information security matters
- Incomplete information asset registers, particularly around unstructured data and cloud environments
- Security control testing programs that lack independence or adequate scope
- Third-party security assessments conducted only at onboarding without ongoing monitoring
- Incident response plans that have not been tested through realistic simulation exercises
- Inadequate information security resourcing relative to the entity's size and threat profile
Frequently Asked Questions
How does CPS 234 differ from the Essential Eight?
What is the APRA notification timeline for incidents?
Can we use external auditors for security control testing?
Does CPS 234 apply to cloud services?
What are the penalties for non-compliance?
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.