CPS 234 — Information Security
The APRA prudential standard that obliges regulated entities to maintain information security capability commensurate with the threats to their information assets.
CPS 234 (Information Security) requires APRA-regulated entities to maintain information security controls proportionate to the size and threats to their information assets, including those managed by third parties. It came into effect 1 July 2019 and applies to banks, insurers, and superannuation funds.
A defining feature of CPS 234 is the explicit accountability at the board and senior management level — “information security is a board responsibility” — coupled with a 72-hour mandatory notification to APRA following a material information-security incident.
- 01
Clearly defined information-security roles and responsibilities at board, management, and operational levels.
- 02
An information security capability commensurate with information asset criticality and the threat environment.
- 03
Information security controls that are tested, monitored, and continuously improved.
- 04
Mandatory APRA notification of material information-security incidents within 72 hours.
- 05
Annual review and attestation of information security policies and controls.
CPS 234 is the standard APRA inspectors lean on when assessing whether a regulated entity’s information-security posture is fit for purpose. It also drives the supplier-risk angle: any third party that holds your information assets is in scope, which is why “our data never leaves your environment” is a structural rather than cosmetic advantage when shortlisting AI vendors.