When did CPS 234 take effect?

CPS 234 commenced on 1 July 2019 and applies to all APRA-regulated entities.

Does CPS 234 cover third-party providers?

Yes. Entities must ensure information assets managed by third parties and related parties are protected to a standard commensurate with the threats they face.

What incident notification does CPS 234 require?

Regulated entities must notify APRA of material information security incidents, generally no later than 72 hours, and of material information security control weaknesses.

🇦🇺 Australia · Information security

CPS 234

Prudential Standard CPS 234 Information Security

CPS 234 is a binding APRA prudential standard, effective 1 July 2019, requiring regulated financial entities to maintain information security capabilities resilient to incidents including cyberattacks. It mandates clear roles, controls, testing and incident notification.

Jurisdiction:🇦🇺 Australia

Type:Information security

In effect:2019

Authority:Australian Prudential Regulation Authority (APRA)

Who it applies to

APRA-regulated entities including authorized deposit-taking institutions, general, life and private health insurers, superannuation (RSE) licensees, and authorized or registered non-operating holding companies.

Identity requirements

Clearly define information security roles and responsibilities of the board, senior management and individuals
Maintain an information security capability commensurate with the size and extent of threats to information assets
Implement controls to protect information assets, including those managed by third parties and related parties
Systematically test the effectiveness of security controls through a testing program
Maintain robust mechanisms to detect and respond to information security incidents
Notify APRA of material information security incidents, generally within 72 hours, and of material control weaknesses

How it impacts identity systems

Identity area	Impact
Authentication & MFA	Controls to protect information assets drive strong authentication and access management for regulated systems.
Privileged access (PAM)	Defined roles and asset-protection controls require tight management of privileged and administrative access.
Identity governance (IGA)	Clear assignment of security responsibilities and access controls supports governance of identities and entitlements.
Breach notification	Material information security incidents must be notified to APRA, generally within 72 hours.
Audit, logging & accountability	Entities must test controls and maintain board-level accountability for information security.

Penalties

As a binding prudential standard, non-compliance can trigger APRA supervisory and enforcement actions, including directions, license conditions or court-enforceable measures, rather than a fixed monetary fine.

Official source

https://www.apra.gov.au/information-security-requirements-for-all-apra-regulated-entities

CPS 234: frequently asked questions

When did CPS 234 take effect?: CPS 234 commenced on 1 July 2019 and applies to all APRA-regulated entities.
Does CPS 234 cover third-party providers?: Yes. Entities must ensure information assets managed by third parties and related parties are protected to a standard commensurate with the threats they face.
What incident notification does CPS 234 require?: Regulated entities must notify APRA of material information security incidents, generally no later than 72 hours, and of material information security control weaknesses.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all Australia regulations or the full country index.