Definition and purpose

The APRA Prudential Standard CPS 234 Information Security (“Prudential Standard CPS 234”) aims to ensure that APRA-regulated entities take measures to be resilient against information security incidents, including cyberattacks, in order to maintain the confidentiality, integrity, or availability of information assets, including information assets managed by related parties or third parties.

This Prudential Standard ultimately seeks to increase the safety of the data Australians entrust to their financial institutions and enhance overall system stability. 

Governing Body

The governing body for Prudential Standard CPS 234 is the Australian Prudential Regulation Authority (APRA), which is responsible for supervising and regulating financial institutions in Australia.

Last updated

The most recent version of Prudential Standard CPS 234 was released in July 2019.

Applies to

Prudential Standard CPS 234 applies to all APRA-regulated entities, including authorized deposit-taking institutions (ADIs), general insurers, life companies, private health insurers, and registrable superannuation entities (RSEs) in Australia. It specifically targets the financial services industry.

Controls and requirements

The framework outlines various controls and requirements that APRA-regulated entities must adhere to. These fall under the following domain areas:

• Roles and responsibilities: Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals.
• Information security capability: Maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.
• Policy framework: Maintain an information security policy framework that is commensurate with your exposures to vulnerabilities and threats and provides direction on the responsibilities of all parties who have an obligation to maintain information security.
• Information asset identification and classification: Classify your information assets, including those managed by related parties and third parties, by criticality and sensitivity.
• Implementation of controls: Implement controls to protect your information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls.
• Incident management: Have robust mechanisms in place to detect and
• respond to information security incidents in a timely manner, including information security response plans. 
• Testing control effectiveness: Test the effectiveness of your information security
• controls through a systematic testing program. 
• Internal audit: Have skilled personnel review the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
• APRA notification: Notify APRA of material information security incidents as soon as possible and no later than 72 hours after becoming aware of the incident.

Please refer to the official Prudential Standard CPS 234 documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

Prudential Standard CPS 234 requires entities to perform internal audits that assess all aspects of the information security control environment over time. It does not specify frequency or duration. However, it does require that entities annually review and test their information security response plans and the sufficiency of their control testing program. So internal audits are generally conducted on an annual basis or when there is a material change to information assets or the business environment.