CPS 234 (Information Security)

APRA standard requiring information security capability.

CPS 234 (in force since 1 July 2019) requires APRA-regulated entities to clearly define information security roles, maintain capability commensurate with vulnerabilities/threats, implement controls, and notify APRA within 72 hours of a material information security incident. Medibank received a $250M capital increase in 2023 following CPS 234-related concerns.