Comply with APRA CPS 234 (Information Security)
APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
Who must comply
All APRA-regulated entities.
What triggers it
Being APRA-regulated.
When due
Continuous; APRA notification within 72 hours of a material incident.
Evidence required
Information security policy, control testing, internal audit reports, incident notifications.
Max penalty
APRA enforcement actions including additional capital, licence conditions, directions
Summary
CPS 234 requires APRA-regulated entities (ADIs, insurers, RSE licensees) to clearly define information security-related roles, maintain capability, implement controls commensurate with vulnerabilities and threats, and notify APRA within 72 hours of a material information security incident.
Enforced by
Source legislation
Industries
Topics
Related obligations
- CWLTHReport cyber security incidents to ASD (SOCI)Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
- CWLTHComply with APRA CPS 230 (Operational Risk Management)APRA-regulated entities must manage operational risk including a comprehensive third-party / outsourcing register from 1 July 2025.
- CWLTHAdopt Essential Eight Maturity Level 2 (federal subcontractors)Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.
- CWLTHComply with SOCI Positive Security Obligation (PSO) per sectorSector-specific cyber + risk obligations under SOCI Part 2.
- CWLTHComply with APRA CPS 220 (Risk Management)APRA-regulated entities must have a comprehensive risk management framework.
- CWLTHAdopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.
Frequently asked questions
- Who must comply with APRA CPS 234 (Information Security)?
- All APRA-regulated entities.
- What triggers APRA CPS 234 (Information Security)?
- Being APRA-regulated.
- When is APRA CPS 234 (Information Security) due?
- Continuous; APRA notification within 72 hours of a material incident.
- What is the maximum penalty for APRA CPS 234 (Information Security)?
- APRA enforcement actions including additional capital, licence conditions, directions
- What evidence is required for APRA CPS 234 (Information Security)?
- Information security policy, control testing, internal audit reports, incident notifications.
Source: https://apra.gov.au/information-security. Rules Mate is not a law firm. Always verify against the live regulator source before acting.