An Introduction to APRA CPS 234

The threat of cybercrime for businesses cannot be understated. Cybercrime in the past decade has seen a sharp increase, causing significant financial and reputational damage to businesses in Australia and all around the world. The Australian government’s Office of the Australian Information Commissioner or OAIC, introduced the ‘Notifiable Data Breach Scheme’ in 2018, which made it mandatory under Australia Privacy Law, for an organisation or agency to report a data breach if it was likely to cause harm. This led to Australian organizations taking more responsibility for risks and breaches.

What is APRA CPS 234?

To assist organizations in protecting themselves from cybercrime the Australian Prudential Regulation Authority (APRA) created a new standard for information security management called APRA CPS 234. This standard is designed to help APRA-regulated entities increase their overall resilience towards information security incidents that can affect the confidentiality, integrity or availability of information assets. 

Why is APRA CPS 234 relevant today?

Cyberattacks have increased in frequency, as malicious actors are getting more sophisticated and ingenious in their methods of compromising information assets of organizations. Organizations in the finance industry have become especially lucrative targets for these criminals due to the high amount of financial reward and access to personally identifiable information (PII) and protected health information (PHI) that these organizations hold. 

This trend has been helped by lacklustre information security and an overreliance on the use of technology and third-party vendors by superannuation, banking and insurance companies, in an attempt to increase customer satisfaction and operational efficiency. In consequence, internal and external stakeholders have increased their expectations when it comes to securing information assets, as well as calling for an increase in importance given to promoting information security within the organization as a whole. 

CPS 234 can help APRA-regulated entities to reduce cyber risk and increase their overall cyber security posture by ensuring that their information security takes into account their vulnerabilities and threats. The CPS 234 also ensures that organizations give more attention to vendor risk management so that incidents involving third parties are reduced. 

What kind of organisations does the APRA CPS 234 apply to?

CPS 234 applies to all APRA-regulated entities. These include:

  1. Banks, credit unions and other authorised deposit-taking institutions (ADIs)
  2. Superannuation funds
  3. Life insurance companies
  4. Friendly societies
  5. General insurers
  6. Non-operating holding companies
  7. Private health insurers

It is important to note that from July 1, 2020 onwards all third parties that handle information assets from the above listed organizations will also have to comply with CPS 234. 

CPS 234 also applies to certain foreign entities. These include:

  1. Foreign ADIs
  2. Foreign General Insurers 
  3. Foreign life insurance companies 

6 Considerations for the Board of an APRA-regulated entity

If APRA CPS 234 applies to your organisation, your Board is ultimately responsible for information security and compliance. Here are 6 key considerations that can help a board carry out its responsibilities effectively:

Roles and responsibilities - the board needs to provide management with a clear outline on how it expects to be engaged. For example, The delegation of responsibilities amongst personnel, how and who risks need to be escalated to, issues and reporting requirements need to be outlined to management.

Information Security Capability - the board needs to make sure that current information security capability effectively addresses the possible vulnerabilities and threats. A board needs to provide management with a budget adequate enough to sustain a high level of information security, also making sure that reviews and improvements to the overall information security capability are taking place in a timely fashion.  

Policy framework - the board needs to make sure that the policies in place regarding information security meet their expectations.

Implementation of Controls - the board needs to regularly seek assurance from and, as appropriate, challenge management on reporting regarding the effectiveness of the information security control environment and the overall health of the entity’s information assets

Testing control effectiveness - the board needs to regularly seek assurance from and, as appropriate, challenge management on the sufficiency of testing coverage across the control environment; form a view as to the effectiveness of the information security controls based on the results of the testing conducted

Internal Audit - the board needs to consider the effectiveness of internal audits based on factors such as coverage, skills, capacity and capabilities with respect to the provision of independent assurance that information security is maintained. The board also needs to evaluate the effectiveness of information security controls based on the results of internal audits

If APRA is applicable to your organisation, StickmanCyber can help review your cybersecurity framework and offer recommendations to ensure compliance. Explore our APRA CPS 234 compliance services.

Similar posts


Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.