APRA CPS 234: the 2026 guide for Australian financial services.

What is CPS 234?

CPS 234 — Information Security is APRA's prudential standard requiring regulated entities to maintain information security capability commensurate with the threats they face. It is short, principles-based, and deliberately tech-agnostic — nine pages of obligations rather than a prescriptive control checklist.

Its single objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of an entity's information assets — including assets managed by third parties. It came into force 1 July 2019 and sits alongside CPS 230 (operational risk) and CPS 220 (risk management) in APRA's prudential framework.

Because the standard is principles-based, APRA pairs it with CPG 234, a prudential practice guide. CPG 234 isn't legally binding, but it's how APRA describes good practice and how reviewers form a view. If your evidence doesn't map cleanly to CPG 234, a thematic review or post-incident probe gets uncomfortable quickly.

Who must comply (and what "APRA-regulated" actually means)

CPS 234 applies to all APRA-regulated entities — there are no size thresholds and no exemptions. "APRA-regulated" means you hold a licence or authorisation under one of the industry Acts APRA administers. In practice that's:

• ADIs — authorised deposit-taking institutions: banks, building societies, credit unions, and restricted ADIs.
• Insurers — general insurers, life insurers, and private health insurers.
• Superannuation — RSE licensees responsible for registrable superannuation entities.
• Authorised and registered groups — including Level 2 and Level 3 groups, where the standard applies on a group basis.

The obligations are identical on paper for a major bank and a small mutual. What differs is the bar: APRA expects capability and controls "commensurate with size, business mix and complexity," so a systemically important institution is held to a materially higher standard than a regional credit union.

The five core obligations

The standard's requirements group cleanly into five obligations. The paragraph references point back to the CPS 234 text; each maps to corresponding guidance in CPG 234.

Board accountability — what CPS 234 means at the top

CPS 234 ¶13 is unusually direct: the Board of the regulated entity is ultimately responsible for the information security of the entity. The Board can delegate operational accountability — to a CISO, an executive committee, or a service provider — but it cannot delegate the responsibility itself.

In practice this means APRA expects to see the Board engaged, not just informed. Thematic reviews routinely request Board and committee papers from the previous twelve months looking for evidence that information security risk was discussed, that capability investment was challenged, and that incidents and control weaknesses were escalated.

Information security capability — how APRA expects you to measure it

"Capability" under CPS 234 is broader than headcount or tooling. It's the combination of people, processes and technology that lets you maintain security commensurate with your threat environment — and it must be actively maintained as that environment and your business change.

APRA expects you to be able to articulate your capability and justify it against your size, business mix and complexity. That includes the capability of any third party that manages information assets on your behalf: their gaps are your gaps.

• A documented, current view of capability against the threats relevant to your business.
• Evidence that capability is reassessed when there's material change — new products, M&A, major outsourcing.
• An honest gap analysis with funded remediation, not aspirational target states.

Incident notification — the 72-hour rule and what triggers it

CPS 234 carries two distinct notification clocks. Both are obligations to APRA, both start at "becoming aware", and both are common enforcement triggers when missed.

The recurring failure isn't intent — it's hesitation. Teams wait to be certain something is "material" before starting the clock. APRA's posture is the opposite: if in doubt, notify. Late notification is enforcement territory; over-notification is not. Pre-agreed materiality criteria and a notify-by-default rule remove the judgement call at the worst possible moment.

Third-party risk under CPS 234

CPS 234 explicitly extends to information assets managed by a third party on your behalf. Outsourcing the activity does not outsource the obligation — "our SaaS vendor handles security" is not a defence in a thematic review.

For each provider that touches a material information asset, APRA expects you to assess and have visibility of their information security capability, obtain assurance over their controls, and have a contractual route to incident information so you can meet your own notification clocks.

• A register of third parties that manage or access your information assets, rated by criticality.
• Independent assurance on file — SOC 2 Type II, ISO 27001 certification, or a completed security assessment — with renewal dates tracked.
• Incident-notification clauses that flow material events to you fast enough to meet the 72-hour rule.

How CPS 234 interacts with CPS 230 (operational risk)

CPS 230 — Operational Risk Management took effect 1 July 2025, replacing CPS 231 and CPS 232. It is broader than CPS 234: it covers operational risk management, business continuity, and the management of material service providers. Information security is one component of operational risk under CPS 230.

The cleanest way to hold the two in your head: CPS 234 is the cyber lens; CPS 230 is the operational-risk lens. Both apply to the same entities, and they overlap by design — third-party management, incident response and resilience testing appear in both. Maintaining two parallel evidence bases is wasted effort; the same control evidence should satisfy both standards.

Common findings in APRA reviews

From APRA's published thematic-review observations and the patterns we see in pre-review work, the same three gaps recur regardless of entity size.

1. Third parties out of sight

Information assets sit with providers, but the entity holds no current capability evidence, no attestations, and no incident channel. The register is stale or scoped only to "major" outsourcing.

2. Testing treated as a tick-box

An annual penetration test is presented as the testing programme. CPS 234 ¶30–34 asks for systematic testing with frequency tied to asset criticality, covering the full control set — and independent assurance where controls are critical.

3. Evidence that can't be produced on demand

Controls exist, but the proof is scattered across teams, tickets and inboxes. When the review asks for twelve months of Board papers, test results and incident records, assembling them becomes the project.

The realistic path to compliance in 6–12 months

CPS 234 isn't a tiered maturity model, but readiness is a continuum. For an entity starting from documented-but-untested, a credible programme looks like this.

Tooling: what software actually helps

CPS 234 doesn't mandate any tool, and a spreadsheet can technically hold the evidence. The problem isn't capture — it's keeping it current and producible. The software that earns its place does three things: it maps your controls to the obligations and CPG 234, it stores dated evidence with an audit trail back to source, and it reuses that evidence across the standards that overlap.

That's the gap Cybereen is built for — turning CPS 234 from an annual scramble into an operating rhythm. The next section shows how.