Compliance reference · APRA CPS 234

Information security commensurate with the threat.

APRA CPS 234 is the foundational information security standard for every APRA-regulated entity. It is the standard every other APRA prudential standard refers to when it talks about security. Get this one right and the rest of the stack gets easier.

Book a CPS 234 walkthroughSee the audit architecture
Effective from
1 July 2019
Regulator
APRA
Applies to
APRA-regulated entities
Pillars
Four

What it actually requires

Four pillars. One Board accountability.

CPS 234 is short by APRA standards but unambiguous on ownership. Information security is a Board obligation. The four pillars below are how the Board demonstrates the obligation is being met.

Roles & responsibilities

Information security is a Board accountability. Roles for the Board, senior management, and governing bodies must be clearly defined and documented. The standard does not allow ownership to drift into "shared responsibility" with no name attached.

Information security capability

Maintain capability commensurate with the size and extent of threats to information assets. Capability is assessed against the actual threat landscape — not the threat landscape from when the policy was last reviewed.

Incident management & notification

Detect, respond to, recover from, and learn from information security incidents. Material incidents must be notified to APRA promptly and within the required reporting window. Capability to inform members and counterparties is part of the obligation.

Third-party information security

Service providers and other third parties that manage information assets must meet equivalent standards. Due diligence at onboarding, ongoing oversight, and exit planning are all in scope. Concentration and fourth-party exposure require explicit treatment.

Where teams hit the wall

Four problems that show up in nearly every CPS 234 conversation.

Capability assessments are point-in-time

The information security capability assessment was thorough at the time. Two years on, the threat landscape has shifted, the architecture has changed, and the assessment reads as a historical document rather than a live picture.

Your assessment lags your risk by 18 months.

Incident notification windows surprise teams

When a real incident hits, the notification window arrives faster than the internal investigation does. The first hour is spent on internal escalation and the second hour realising the regulator clock has been running the whole time.

You miss the window, then explain why.

Third-party register is a snapshot

The information security register of service providers was built during readiness. New SaaS contracts are signed by procurement without security review. Six months later the register and reality have parted ways.

Your register cannot be defended in tripartite review.

AI tools are blocked at security review

Cloud AI tools cannot demonstrate where data goes, how it is segregated, or how to delete it on demand. Security review says no. The compliance team becomes the team blocking the productivity wins everyone else can see.

You cannot deploy the AI you can already justify.

How BackPro maps to CPS 234

Capability that keeps pace with the threat.

Each row maps a CPS 234 obligation to the part of BackPro that does the work. The platform itself is built to be deployable inside a CPS 234-aligned tenant — the obligations and the platform pull in the same direction.

CPS 234 obligation

Roles & responsibilities

BackPro deployments come with documented role-mapping for Board, senior management, and operational owners — version-controlled and signed in the audit chain. Approval workflows enforce the documented matrix; nothing material happens without the documented owner signing it.

CPS 234 obligation

Information security capability

Continuous capability monitoring — the Control Monitor agent watches for failing controls, stale evidence, and policy drift. Evidence freshness is surfaced as a finding, not buried in a spreadsheet. The capability picture updates as the landscape shifts.

CPS 234 obligation

Incident management & notification

Incident playbooks live in the platform with a tamper-evident chain of custody on each step. The audit log signs every action with HMAC-SHA256 and chains it to the previous entry, so the regulator notification carries the evidence trail without a separate evidence-pull.

CPS 234 obligation

Third-party information security

The Vendor Risk agent watches contract expiries, due-diligence cadence, and concentration exposure across material service providers. New SaaS engagements surface as findings until the security review is complete and signed.

CPS 234 obligation

Tenant deployment posture

BackPro itself is designed to be deployable inside an APRA-aligned tenant. Production infrastructure-as-code ships for Azure, AWS, and GCP with encryption at rest and in transit, role-based access control, audit logging on by default, and tenant isolation. SOC 2 Type II and ISO/IEC 27001 readiness underway.

See the architecture in detail

Who carries this?

CPS 234 lands across three desks more than any other.

Compliance Officers

Owns the security capability narrative and the evidence trail an external review will examine.

Open page

Super Funds — CRO

Trustee-grade documentation, member-data resilience, and APRA-cycle reporting under continuous oversight.

Open page

Insurance — Risk & Compliance

Policy and claims-data security, AI risk management, and CPS 234 readiness across the insurance stack.

Open page

Frequently asked questions

What APRA-regulated teams ask before bringing AI inside the CPS 234 perimeter.

Who does CPS 234 apply to?
CPS 234 applies to APRA-regulated entities: authorised deposit-taking institutions (ADIs), general and life insurers, private health insurers, and registrable superannuation entity (RSE) licensees. The standard came into effect on 1 July 2019 and remains the foundational information security obligation referenced by other APRA prudential standards.
What is "commensurate" information security capability?
APRA expects capability to be matched to the size of the entity and the extent of threats to its information assets. There is no single technical control list — the obligation is to demonstrate that capability is sized to the threat. Smaller entities run smaller programs; larger or higher-threat entities run substantially more comprehensive ones. The assessment is not a one-time exercise; capability has to keep pace with the threat landscape.
How quickly does APRA need to be notified of an incident?
APRA expects notification of material information security incidents as soon as possible, and at the latest within the timeframe set in the standard. The window assumes the entity already has the detection and triage capability to recognise materiality quickly. In practice the regulator clock starts before the internal investigation feels ready — this is a core CPS 234 design intention.
How does BackPro support CPS 234 compliance?
BackPro provides continuous monitoring across the four CPS 234 pillars — roles, capability, incident management, and third-party security. The Control Monitor agent watches information security controls and evidence freshness; the Vendor Risk agent watches material service providers; incident response playbooks execute against a tamper-evident chain of custody. Findings are deduplicated, severity-ranked, and routed to your team without manual aggregation.
Is BackPro itself CPS 234 deployable?
BackPro is designed to be deployed inside a CPS 234-aligned tenant. The platform deploys entirely inside your Azure, AWS, or GCP environment using production infrastructure-as-code. No customer document or model output leaves your perimeter. The platform aligns with CPS 234 expectations — encryption at rest and in transit, role-based access control, audit logging on by default, tenant isolation, and a tamper-evident HMAC-chained audit log. SOC 2 Type II and ISO/IEC 27001 readiness programs are underway.
Does BackPro replace our SIEM or our GRC platform?
No. BackPro complements both. Your SIEM remains the system of record for security telemetry; BackPro audit logs export to your SIEM as CEF, JSON Lines, or Syslog (RFC 5424). Your GRC platform remains the system of record for risk-and-control workflows; BackPro automates the document and evidence work surrounding it. The integration uses standard formats — no custom connectors required.

Ready to take CPS 234 off the spreadsheet?

One walkthrough covers architecture, audit chain, deployment model, and how the platform maps to each CPS 234 pillar.

Book a CPS 234 walkthroughSee the audit architecture