HomeseparatorCompliance

The Ultimate Guide to CPS 234 Requirements

Avatar photo
Author
Technical Reviewer
Updated: May 28th, 2026
16 mins read
CPS 234 guide

TLDR;

  • CPS 234 is Australia’s mandatory prudential standard from APRA (effective since 2019).
  • The core goal is to minimize the likelihood and impact of breaches on the CIA triad of information assets.
  • Every information asset (including third-party-held) must be identified, classified (Critical / Sensitive / Internal / Public), and kept up to date.
  • The board is ultimately responsible for any security-related incidents.
  • Outsourced, cloud, or vendor-managed assets are fully in scope. You must assess their security capabilities, enforce strong contractual terms, and monitor ongoing compliance.
  • APRA can impose enforceable undertakings, additional capital requirements, restrictions on operations, or formal enforcement action.

As compliance requirements tighten globally, Australia has taken a decisive step with the introduction of Prudential Standard CPS 234 Information Security, setting a clear baseline for how financial institutions must protect themselves and the people who trust them.

Australia’s financial services sector remains one of the most targeted in the world, with high-profile breaches exposing millions of records. According to the Australian Cyber Security Centre’s Annual Cyber Threat Report 2024–2025, more than 1,200 cybersecurity incidents were responded to last year (an 11% increase year-on-year), alongside over 84,700 cybercrimes reported, i.e., 1 every 6 minutes.

For APRA-regulated entities, CPS 234 is the framework standing between your organization and the kind of incident that ends up in a headline.

This blog breaks down exactly what are CPS 234 requirements, the practical steps to get, and the concrete strategies that will meaningfully strengthen your security posture for CPS 234 compliance.

What is CPS 234?

CPS 234 is a prudential standard issued by the Australian Prudential Regulation Authority that sets mandatory security standards for all APRA-regulated entities(Australian financial institutions). 

It’s one of the most comprehensive frameworks applied to the Australian financial services sector. This was developed in response to modern threats faced by financial institutions globally. 

Unlike broad voluntary frameworks, CPS 234 requirements places legally binding responsibilities on boards, senior management, and third-party service providers. Non-compliance can attract regulatory intervention, enforceable undertakings, and reputational damage.

CPS 234 requirements

Who Must Comply with CPS 234?

CPS 234 applies to all entities regulated by APRA, including​

  • Authorised deposit-taking institutions (ADIs), including banks, credit unions, building societies, foreign ADIs, and authorised banking NOHCs.
  • General insurers, Category C insurers, authorised insurance NOHCs, and Level 2 insurance group parents.
  • Life companies, friendly societies, eligible foreign life insurance companies (EFLICs), and registered life NOHCs.
  • Private health insurers under the PHIPS Act.
  • RSE licensees (superannuation) in respect of their business operations.

For foreign entities, obligations apply only to Australian branch operations. Where an entity is the Head of a Group (Level 2 or Level 3), requirements extend group-wide, including non-APRA-regulated subsidiaries.  

​The reach of the standard extends beyond the entity itself. If a vendor manages your information assets, CPS 234 obligations apply from contract renewal or 1 July 2020 onward.

This makes third-party & supply chain security requirements a central focus of CPS 234 Compliance.  

​Entities that rely heavily on third parties for technology and data management must ensure those arrangements are structured to satisfy CPS 234’s requirements.

Example scenarios

  • A foreign bank operating a branch in Australia must comply with CPS 234.
  • A foreign insurer operating a branch in Australia is subject to CPS 234 for its local insurance operations.
  • A financial institution outsourcing core banking platform support, claims processing, or cloud hosting to an external provider needs to comply with CPS 234.
  • A retirement fund using a third-party administrator to handle member enrolment, contributions, and benefit payments must ensure the arrangement meets CPS 234 security standards

CPS 234 Para 6: Where an APRA-regulated entity’s information assets are managed by a third party, the requirements in this Prudential Standard will apply in relation to those information assets from the earlier of the next renewal date of the contract with the third party or 1 July 2020.”

Note: Entities that are not authorised or registered by APRA (e.g. fintech startups, non-bank buy-now-pay-later providers, or purely self-managed retirement accounts) are generally not subject to CPS 234. However, if they provide material services to an APRA-regulated entity, the regulated entity will impose security obligations through contractual and oversight mechanisms.

What are the CPS234 Requirements?

CPS 234 requirements is organised around four core pillars, each addressing a distinct dimension of information security governance:

Pillars of CPS 234
  • Defined roles and responsibilities: Someone must own information security at every level, i.e., board, management, and operational teams. CPS 234 requirements states accountability must be clear before an incident occurs.
  • Maintained information security capability: You must actively sustain the people, processes, and technology needed to prevent, detect, and recover from threats continuously (not a single time assessment).
  • Asset identification and classification: You can’t protect what you don’t know you have. Every information asset must be catalogued, classified by sensitivity and criticality, and assigned an owner.
  • Control implementation and effectiveness testing: Controls protecting information assets must be implemented and regularly tested for effectiveness.

What are the Information Security Capability Requirements?

Under paragraph 15 of CPS 234 requirements, entities must maintain an information security capability (people, processes, technology, and controls) proportionate to the size and extent of threats to information assets. This must evolve as the threat environment changes.

CPS 234 Para 17: An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity”

​In practical terms, this means entities must invest continuously in people, processes, and technology to protect their information assets. APRA expects that capability assessments are conducted regularly and that any identified gaps are remediated on a risk-prioritised basis.

​Key elements of an information security capability include:

  • A dedicated information security function with sufficient resources and expertise
  • Up-to-date threat intelligence and vulnerability management programs
  • Security monitoring and detection capabilities, including SIEM tools where appropriate
  • Defined and tested incident response and business continuity plans
  • Regular staff awareness training and security culture initiatives

Entities must also be able to demonstrate to APRA that their capability is adequate.

This requires maintaining evidence of assessments, training records, test results, and remediation logs. A capability that exists only on paper will not satisfy the standard.

​Pro Tip: Form a cross-functional information security team and maintain a cyber risk register with key risk indicators (KRIs). Regularly assess whether current controls can handle plausible worst-case scenarios (e.g., ransomware attacks or insider threats).

Asset Identification & Classification Obligations in CPS 234

CPS 234 requirements asks regulated entities to classify their information assets, including those managed by third parties, based on their criticality and sensitivity. This classification determines the level of control required and the priority of protection.

​An information asset under CPS 234 is broadly defined and includes data, hardware, software, systems, and any other resource that holds or processes information. Entities must maintain an up-to-date register of these assets, clearly identifying who is responsible for each asset and the classification that applies.

CPS 234 Para 20: An APRA-regulated entity must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity…..”

​A simple CPS 234 classification framework that can be used:

  • Critical: Assets whose compromise would cause severe operational issues or significant harm to customers and stakeholders (e.g., core banking systems, policyholder data).
  • Sensitive: Assets containing confidential information or PII that require strong controls but are not operationally critical.
  • Internal: Assets used for internal operations with moderate sensitivity
  • Public: Assets with no confidentiality requirements
  • Classification must be reviewed and updated when the nature or usage of assets changes. Failure to maintain an accurate asset register is one of the most common gaps APRA identifies during reviews.

​What Does Effective Control Testing and Implementation Look Like?

CPS 234 requirements asks controls to be implemented in a timely manner and that their effectiveness be tested regularly at least annually, or following significant changes.

Controls must be proportionate to the classification of the asset. Critical assets demand stronger, more rigorous controls. The standard does not prescribe specific technical controls, giving entities flexibility to choose solutions appropriate to their operating model, but it does require entities to justify their control choices.

Control effectiveness testing under CPS 234 requirements includes:

  • Penetration testing of systems holding critical or sensitive assets.
  • Vulnerability assessments with risk-rated findings and documented remediation timelines
  • Access control reviews, i.e., who has access to what, and is it still appropriate?
  • Privileged access management audits
  • Phishing simulations and social engineering exercises
  • Independent assurance reviews by internal audit or qualified external parties

CPS 234 Para 31: An APRA-regulated entity must review the sufficiency of the testing program at least annually or when there is a material change to information assets or the business environment.”

Where testing reveals gaps, entities must establish a remediation plan and track progress. APRA expects timely remediation and has been known to escalate regulatory attention where systemic gaps persist without adequate remediation.

Third-Party & Supply Chain Security Requirements

Your security is only as strong as the weakest link in your supply chain. And in today’s outsourced, cloud-dependent operating environment, your supply chain is long.

Under para 16, CPS 234 explicit that obligations do not diminish simply because information assets are managed by a third party. Regulated entities remain responsible for ensuring that their service providers ( including cloud providers, outsourced IT operations, and data processors) maintain information security capabilities consistent with the standard.

​This creates a significant due diligence and ongoing monitoring obligation. Before engaging a third party to manage information assets, entities must assess the provider’s security posture.

After engagement, they must monitor it continuously.​

Astra security dashboard

Practical requirements for third-party security under CPS 234 include:

  • Pre-engagement assessments covering the provider’s policies, controls, and incident history
  • Contractual provisions mandating the provider to maintain appropriate security controls and notify the entity of incidents
  • Ongoing monitoring through attestations, certifications (e.g., ISO 27001, SOC 2), or direct audit rights.
  • Annual review of all material third-party arrangements
  • Incident notification obligations flowing from the provider back to the regulated entity in timeframes that allow APRA notification obligations to be met.

Entities that have concentrated their operations in a small number of critical service providers face heightened supply chain risk. APRA expects concentration risk to be identified, documented, and managed.

Pro Tip: Ask yourself: If your primary cloud provider suffered a major outage tomorrow, could you maintain critical operations? If the answer is ‘no’ or ‘we’d figure it out,’ you have a CPS 234 issue.

Incident Management and Notification Obligations in ARPA 234

CPS 234 requires regulated entities to have a strong information security incident management capability. This encompasses the ability to detect, contain, eradicate, and recover from incidents.

Incident response plans must be documented, regularly tested (including tabletop exercises), and updated to reflect changes in the threat environment and the entity’s operating model.

CPS 234 Para 23: An APRA-regulated entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner.”

One of the most operationally significant CPS 234 reporting requirements is the mandatory notification obligation. Regulated entities must notify APRA:

CPS 234 Notification Requirements

  • As soon as possible and no later than 72 hours after becoming aware of an information security incident that has materially affected, or has the potential to materially affect, the entity or its customers
  • No later than 10 business days after becoming aware of a material information security control weakness that the entity expects will not be remediated on time.

CPS 234 Para 35, 36: An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours……”

The 72-hour window for incident notification is tight, particularly for complex incidents where the full scope may not yet be understood. Entities must have clear escalation processes that ensure the right people are informed and can make a notification decision quickly. Delayed notifications are a significant compliance risk and have been the subject of APRA enforcement actions.

In addition to APRA, entities may have parallel notification obligations under the Notifiable Data Breaches (NDB) scheme administered by the Office of the Australian Information Commissioner (OAIC) where personal information is involved.

What Boards Are Actually Expected to Do under CPS 234

CPS 234 requirements places explicit accountability at the top of the organisation. The board of a regulated entity is ultimately responsible for ensuring that the entity maintains adequate information security.

Board responsibilities under CPS 234 para 13, 14 include:

  • Approving and overseeing the entity’s information security policy framework
  • Ensuring sufficient resources are allocated to information security
  • Receiving regular reporting on the entity’s information security posture, incidents, and control effectiveness
  • Understanding and overseeing risks arising from third-party arrangements
  • Ensuring that information security considerations are considered in decision-making (e.g., new products, digital transformation initiatives, acquisitions).

Senior management bears responsibility for implementing the board’s directions and for the day-to-day management of information security risks. This typically includes the Chief Information Security Officer (CISO), Chief Risk Officer (CRO), and other executives whose functions involve information assets.

APRA has increasingly scrutinised the quality of board information security reporting.

CPS 234 Compliance Checklist

Use the following checklist to assess your organisation’s current CPS 234 compliance posture:

  • Defined and documented information security roles (Board, management, staff)
  • Maintained an up-to-date information asset register with classifications
  • Implemented controls proportionate to asset criticality and sensitivity
  • Conducted control effectiveness testing at least annually
  • Assessed and documented third-party information security capabilities
  • Established incident response and escalation procedures
  • Notified APRA of material incidents within 72 hours
  • Conducted annual internal or independent audit of CPS 234 compliance
  • Board has reviewed and endorsed information security policy
  • Remediation plans are in place for identified control weaknesses

How to Prepare for a CPS 234 Audit or Assessment

APRA conducts regular prudential reviews and targeted thematic assessments of CPS 234 compliance. Being well-prepared is essential to demonstrating a mature information security posture and avoiding adverse regulatory findings.

Before the Assessment

  • Conduct a self-assessment against all CPS 234 requirements and document findings honestly.
  • Ensure your information asset register is up to date and has been reviewed within the last 12 months.
  • Compile evidence of control effectiveness testing, including penetration test reports, audit findings, and remediation tracking.
  • Review all material third-party arrangements for currency of security assessments and contractual protections.
  • Confirm that board papers and minutes reflect meaningful information security governance

During the Assessment

  • Designate a single point of coordination for APRA information requests to ensure consistency and timeliness.
  • Be transparent about known gaps: APRA views undisclosed deficiencies far more seriously than disclosed ones with credible remediation plans.
  • Provide evidence: regulators expect documented proof of compliance, not verbal representations.

After the Assessment

  • Respond to any findings promptly with a detailed remediation plan, including owners, timelines, and progress milestones.
  • Treat findings as an opportunity to strengthen your security posture, not merely a compliance box to tick.
  • Update your internal compliance monitoring to address any systemic issues identified.

How Astra Security Helps You Meet CPS 234 Requirements

CPS 234’s control testing requirements, i.e., annual penetration testing for web applications and services, vulnerability assessments, and ongoing monitoring, are among the most resource-intensive obligations in the standard.

For entities without large in-house security teams, keeping up with the required cadence is genuinely difficult.

Astra Security’s Pentest platform is built specifically to address this problem. We combine AI-powered automated scanning with certified manual penetration testers (OSCP, CEH, eJPT qualified) to deliver the depth of assessment that CPS 234’s risk-based approach demands, without requiring you to manage a full in-house team.

What that looks like in practice:

  • Scans against 15,000+ test cases, including OWASP Top 10, SANS Top 25, known CVEs, and business logic flaws that automated tools alone cannot detect.
  • Test cases are updated regularly to stay relevant to the modern threats.
  • Coverage across web apps, APIs, cloud infrastructure (AWS, Azure, GCP), and endpoints(the same asset categories CPS 234’s classification obligations cover)
  • Continuous scanning between formal assessments, so you’re not flying blind in the months between annual pentests.
  • Findings delivered with risk ratings, business impact assessments, step-by-step reproduction, and remediation guidance, exactly the documented evidence APRA expects to see.
  • CI/CD integration via Jira and Slack, so security testing is embedded into your development lifecycle rather than bolted on at the end.

Solving the Third-Party Security Problem with Astra Trust Center

Astra security Trust center

You’re a regulated entity. You rely on technology vendors, cloud providers, and outsourced service providers. CPS 234 requires you to assess and monitor their security posture continuously. But you’re also somebody else’s vendor.

That creates a two-sided problem. On one side, you’re chasing your vendors for security evidence. On the other hand, your clients are chasing you.

It’s a significant operational burden on both sides, and it still leaves everyone relying on static, point-in-time documents that are out of date almost as soon as they’re produced.

Astra’s Trust Center can solve this problem.

A Trust Center is a publicly accessible, continuously updated security posture page that your vendors, clients, and regulators can access at any time.

  • It satisfies your clients’ third-party assessment obligations in real time. Instead of sending a static report, you share a live Trust Center link. Your clients can see your current vulnerability scan coverage, recent penetration test results and certificates, active compliance frameworks, and security metrics, all in one place.
  • The data is live, not stale. Astra’s Trust Center pulls real-time data directly from your vulnerability scanner and pentest pipeline. Your clients never see an expired document.

Final Thoughts

CPS 234, at its core, asks for the same thing every other serious compliance framework asks: prove it. Prove your controls work. Prove your board is engaged. Prove your vendors meet the standard. Prove you can detect and respond to an incident. Prove you’d notify APRA in a timely manner.

The organisations that find compliance genuinely manageable are those that stop treating each framework as a separate exercise and start building a security operating model that satisfies all of them simultaneously. The implication is worth sitting with.

If your organisation operates across multiple compliance obligations, a mature penetration testing program simultaneously produces evidence for your ISO 27001 audit, feeds your SOC 2 security criteria, and supports your cyber insurance renewal. It’s the rare compliance investment that compounds each test cycle, generating value across multiple frameworks at once.

Hand-picked articles for you

DPDP compliance (1)
Compliance

DPDP Compliance in 2026: The Complete Guide for Tech Leaders

Avatar photo
Jinson Varghese
June 3rd, 2026
Will an Autonomous Pentest Satisfy SOC 2, PCI DSS, and ISO 27001 Auditors?
Compliance

Will an Autonomous Pentest Satisfy SOC 2, PCI, & ISO Auditors?

Avatar photo
Sanskriti Jain
June 1st, 2026
Compliance

The Gap Between ‘Secure’ & ‘Compliant’, and Why It Matters

Payal
May 20th, 2026

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Psst! Hi there. We're Astra.

We make security simple and hassle-free for thousands of businesses worldwide.

Our security products include a vulnerability scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

Speak to Sales Get a Pentest
earth

Made with ❤️ in USA  India

Copyright © 2026 ASTRA IT, Inc. All Rights Reserved.

Privacy Policy Terms of Service Report a Vulnerability