Rules Mate

Comply with APRA CPS 234 (Information Security)

APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.

criticalcurrentongoing

Who must comply

All APRA-regulated entities.

What triggers it

Being APRA-regulated.

When due

Continuous; APRA notification within 72 hours of a material incident.

Evidence required

Information security policy, control testing, internal audit reports, incident notifications.

Max penalty

APRA enforcement actions including additional capital, licence conditions, directions

Summary

CPS 234 requires APRA-regulated entities (ADIs, insurers, RSE licensees) to clearly define information security-related roles, maintain capability, implement controls commensurate with vulnerabilities and threats, and notify APRA within 72 hours of a material information security incident.

Enforced by

Source legislation

Industries

Topics

cyberinformation-securityapra

Related obligations

Frequently asked questions

Who must comply with APRA CPS 234 (Information Security)?
All APRA-regulated entities.
What triggers APRA CPS 234 (Information Security)?
Being APRA-regulated.
When is APRA CPS 234 (Information Security) due?
Continuous; APRA notification within 72 hours of a material incident.
What is the maximum penalty for APRA CPS 234 (Information Security)?
APRA enforcement actions including additional capital, licence conditions, directions
What evidence is required for APRA CPS 234 (Information Security)?
Information security policy, control testing, internal audit reports, incident notifications.

Source: https://apra.gov.au/information-security. Rules Mate is not a law firm. Always verify against the live regulator source before acting.