Free tool
CPS 234 readiness scorer
APRA's Prudential Standard CPS 234 (Information Security) has applied to all APRA-regulated entities since 1 July 2019 — and to information assets managed by third parties since 1 July 2020. This tool scores your program across 10 control areas, prioritises gaps by severity, and surfaces APRA's 72-hour and 10-business-day notification triggers.
Reference tool — not professional advice. CPS 234 is a principles-based standard; your specific obligations depend on entity class, the criticality and sensitivity of your information assets, and your threat environment. Always confirm with APRA or an APRA-experienced information-security consultant for material decisions.
Related tools
Frequently asked questions
- Who does CPS 234 apply to?
- All APRA-regulated entities: ADIs (banks, credit unions, building societies), general/life/private health insurers, RSE licensees (super fund trustees) and licensed non-operating holding companies (NOHCs). CPS 234 has been in force since 1 July 2019.
- How quickly must I notify APRA of an incident?
- No later than 72 hours after becoming aware of a material information-security incident. You must also notify APRA no later than 10 business days after becoming aware of a material information-security control weakness that cannot be remediated in a timely manner.
- What's the difference between CPS 234 and CPS 230?
- CPS 234 is the information-security standard specifically — board accountability, asset classification, controls, testing and internal audit. CPS 230 is the broader operational risk standard covering business continuity, critical operations and service-provider management. Both apply to in-scope entities.
- Does CPS 234 cover systems run by third parties?
- Yes. Since 1 July 2020 CPS 234 has applied to information assets managed by third and related parties. You must classify those assets, ensure controls are implemented, and be able to test (or rely on the provider's testing of) control effectiveness and evidence it to APRA.
Not sure which obligations apply to you?
Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.
Build my Compliance Fingerprint →