APRA CPS 234 Information Security: The Standalone Deep Dive

What CPS 234 is and who it applies to

Prudential Standard CPS 234 Information Security came into effect on 1 July 2019. It applies to all APRA-regulated entities, including ADIs, general insurers, life insurers, private health insurers, and superannuation trustees. This standard builds upon existing obligations and should be understood in relation to CPS 230 vs CPS 234.

The objective of CPS 234 is to ensure that these entities maintain an information security capability that is appropriate to the information security vulnerabilities and threats they face. This requires a risk-based approach to managing information security.

Ultimate responsibility for information security rests with the Board of each APRA-regulated entity. This standard is supported by Prudential Practice Guide CPG 234, which provides further guidance on meeting the requirements of CPS 234.

Core information security requirements

Information security requirements under CPS 234 mandate a clear delineation of responsibilities. Entities are obligated to define the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individual personnel. This ensures accountability and establishes a framework for information security governance.

The standard requires that information security controls are appropriate to the entity’s exposures. These controls must be designed to protect against information security incidents. Furthermore, a systematic testing program is necessary to evaluate the effectiveness of these controls.

Entities must also ensure that internal audit reviews both the design and operating effectiveness of information security controls. Where third parties manage information assets, those third parties must implement controls that are commensurate with the entity’s own.

Notification obligations to APRA

APRA requires notification of information security incidents. An incident must be reported if it materially affected, or had the potential to materially affect, an entity or its customers, either financially or non-financially. Notification must occur as soon as possible, and no later than 72 hours after the entity becomes aware of the incident.

If an incident has already been notified to another regulator, whether in Australia or overseas, the 72-hour notification requirement to APRA still applies. This ensures APRA is informed of incidents impacting the Australian financial sector, regardless of prior reporting.

Additionally, material information security control weaknesses that are not remediated in a timely manner must be notified to APRA within 10 business days. Notifications to APRA are to be submitted via the APRA Notify a breach portal.

Common CPS 234 implementation pitfalls

Many institutions treat CPS 234 as an information technology responsibility rather than recognising it as a Board-level prudential standard. This can lead to insufficient oversight and a lack of integration with the broader APRA CPS 220 risk management framework. A Board-level understanding is critical to ensure information security risks are appropriately considered and managed across the entire organisation.

A frequent oversight is the failure to identify and map information assets held by material third parties. This includes cloud providers, processors, and administrators. Without a clear understanding of where critical information resides and who has access to it, institutions cannot effectively manage the associated risks and meet their obligations under CPS 234.

Other common implementation challenges include weak evidence of independent assurance over third-party controls and slow incident triage processes that hinder compliance with the 72-hour notification window. Additionally, institutions sometimes fail to regularly refresh information security policies to reflect evolving threats and business changes.