The Prudential Standard CPS 234 Information Security (CPS 234) was introduced by the Australian Prudential Regulation Authority (APRA) to address the growing threat of cyberattacks in the financial sector. Its primary aim is to ensure APRA-regulated entities maintain robust information security measures to mitigate the risk of information security incidents, including cyberattacks.

APRA's mission is to enforce prudential standards that support a stable, efficient, and competitive financial services sector, ensuring financial promises made by its regulated entities are met under all reasonable circumstances. CPS 234 exemplifies this mission by mandating entities to establish and maintain information security capabilities commensurate with the evolving landscape of security vulnerabilities and threats.

This article will cover all important information regarding the compliance with CPS 234 in 2025.

CPS 234 plays a crucial role in safeguarding Australian businesses by ensuring resilience against cyber threats and other security risks. It also requires entities to respond promptly to significant security incidents, such as data breaches.

Cyberattacks targeting financial institutions have become increasingly sophisticated, driven by the potential for financial gain and access to sensitive data, including personally identifiable information (PII) and protected health information (PHI). Financial institutions, which manage assets exceeding $6.5 trillion, are particularly attractive to attackers.

The rise in third-party vendor reliance within the superannuation, banking, and insurance sectors has amplified these risks. Consequently, stakeholders demand higher standards of information security to protect critical information assets.

By enforcing rigorous security measures and vendor risk management practices, CPS 234 aims to reduce the frequency and impact of cybersecurity incidents, ultimately enhancing the resilience of the financial sector.

CPS 234 applies to all APRA-regulated entities, including:

• Authorized deposit-taking institutions (ADIs) such as banks, credit unions, and foreign ADIs
• General insurers, including non-operating holding companies and parent entities of Level 2 insurance groups
• Life insurance companies, friendly societies, and eligible foreign life insurers
• Private health insurers
• Superannuation funds and RSE licensees

The standard also extends to information assets managed by third-party vendors, requiring these parties to comply with CPS 234 mandates.

The Board of Directors holds ultimate responsibility for CPS 234 compliance. Boards must ensure that their organizations maintain robust information security aligned with the scale of risks to their information assets. While the Board may delegate responsibilities, it must clearly define expectations for engagement, risk escalation, and reporting.

Entities are required to establish clearly defined roles and responsibilities for all stakeholders involved in information security, including senior management, governing bodies, and operational teams. These roles are supported by role statements, policies, reporting lines, and governance charters to avoid ambiguity and ensure accountability.

Effective oversight requires non-technical stakeholders to receive comprehensible reports supplemented by analysis of business implications, ensuring informed decision-making.

CPS 234 outlines critical requirements to ensure comprehensive information security. These include:

1. Information Security Capability
   Entities must maintain capabilities proportional to the size and nature of threats to their information assets, actively adapting to evolving risks and vulnerabilities.

2. Policy Framework
   An information security policy framework must define roles, responsibilities, and security practices for all stakeholders, including contractors and third-party vendors.

3. Information Asset Identification and Classification
   Information assets must be classified by their sensitivity and criticality to prioritize protection measures.

4. Control Implementation
   Security controls must be designed, tested, and maintained throughout the lifecycle of information assets.

5. Incident Management
   Entities must have robust mechanisms to detect, respond to, and recover from information security incidents.

6. Control Testing
   Regular and systematic testing must validate the effectiveness of security measures.

7. Internal Audit
   Independent audits must assess the adequacy of information security controls and provide assurance to the Board.

8. APRA Notification
   Material security incidents or weaknesses must be reported to APRA within specified timeframes.

To comply with CPS 234, entities need to develop and implement a robust security framework that addresses the standard's key requirements. This involves aligning organizational processes, resources, and technologies with the demands of evolving cybersecurity threats. Key steps include:

• Conduct regular assessments of the organization's resourcing, including funding, personnel, and access to specialized skill sets.
• Implement a dynamic control environment that evolves with emerging threats, vulnerabilities, and business changes.
• Ensure continuous training for staff involved in cybersecurity to maintain awareness of current risks and mitigation strategies.

• Develop an inventory of all information assets, including those managed by third-party vendors.
• Categorize assets based on their criticality and sensitivity to prioritize security measures.
• Use tools like configuration management databases (CMDBs) to maintain up-to-date asset relationships and dependencies.

• Conduct due diligence on third-party vendors to ensure their security practices align with CPS 234 requirements.
• Establish clear contractual obligations for information security, including provisions for monitoring, audits, and incident management.
• Regularly evaluate vendor performance through periodic reviews, testing, and risk assessments.

• Develop a comprehensive incident response plan to address various security threats, such as ransomware, phishing, or unauthorized access.
• Test incident response plans regularly to ensure their effectiveness in mitigating potential breaches.
• Define clear roles and escalation paths to ensure timely responses to incidents.

• Apply security controls commensurate with the criticality and sensitivity of information assets, ensuring timely remediation of vulnerabilities.
• Conduct regular testing of controls, such as penetration testing and vulnerability assessments, to validate their effectiveness.
• Include scenarios for worst-case incidents in the testing plan to prepare for extreme but plausible threats.

• Develop a hierarchical set of policies, standards, and procedures addressing all aspects of information security, from access control to data lifecycle management.
• Periodically review and update policies to ensure alignment with evolving regulatory and industry standards.
• Incorporate measures to address exemptions, ensuring compensating controls are in place and monitored.

• Define roles and responsibilities for information security at all organizational levels, from the Board to operational teams.
• Ensure robust reporting mechanisms that provide stakeholders with actionable insights into the organization’s security posture.
• Regularly engage the Board and senior management to reinforce accountability and drive strategic alignment with cybersecurity objectives.

• Foster a culture of security awareness throughout the organization by providing regular training and communication about cybersecurity practices.
• Promote the integration of security into all business processes and decision-making.

Under CPS 234, material security incidents must be reported to APRA within 72 hours. Entities must provide detailed information, including the incident’s nature, status, and mitigation actions. Similarly, material control weaknesses must be reported within 10 business days, along with planned remediation efforts.

CPS 234 is a cornerstone of APRA’s efforts to enhance cybersecurity in the financial sector. By enforcing robust security practices, fostering a culture of vigilance, and ensuring compliance across the value chain, CPS 234 helps safeguard critical information assets and maintain trust in the financial services industry.