APRA CPS 234: APRA Assessment

Are you a financial institution or an insurance firm? StickmanCyber can help review your current cybersecurity framework against the requirements of APRA 234, identify compliance issues, and provide recommendations for remediation.

What is APRA 234

APRA CPS 234 is a standard for information security management designed to help APRA regulated entities increase their overall resilience towards information security incidents that can affect the confidentiality, integrity or availability of information assets.

The CPS 234 requires APRA regulated entities to:

  • Explicitly define roles and responsibilities of the board, senior management, governing bodies and other employees regarding information security.

  • Create and maintain an information security capability that is adequate enough to deal with emerging threats and existing vulnerabilities, so that the organisation can continue to operate efficiently and effectively.

  • Establish controls to protect information assets taking into consideration their individual criticality and sensitivity. Continue to evaluate these controls in a timely fashion so that improvements can be made so that they are always of a high standard.

  • Report any cyber incidents to APRA within 72 hours.

What kind of organisations does the APRA CPS 234 apply to?


CPS 234 applies to all APRA-regulated entities. These include:

  • Banks, credit unions and other authorised deposit-taking institutions (ADIs)
  • Superannuation funds
  • Life insurance companies
  • Friendly societies
  • General insurers
  • Non-operating holding companies
  • Private health insurers.

It is important to note that from July 1, 2020, onwards all third parties that handle information assets from the above-listed organisations will also have to comply with CPS 234. 

CPS 234 also applies to certain foreign entities. These include:

  • Foreign ADIs
  • Foreign General Insurers 
  • Foreign life insurance companies

Why is APRA CPS 234 relevant today?

Conceptual digital image of lock on circuit background. | StickmanCyber

Organisations in the finance industry have become especially lucrative targets for these criminals due to the high amount of financial reward and access to personally identifiable information (PII) and protected health information (PHI) that these organisations hold.

This trend has been helped by lacklustre information security and an overreliance on the use of technology and third party vendors by superannuation, banking and insurance companies, in an attempt to increase customer satisfaction and operational efficiency. In consequence, internal and external stakeholders have increased their expectations when it comes to securing information assets.

CPS 234 can help APRA regulated entities to reduce cyber risk and increase their overall cyber security posture by ensuring that their information security takes into account their vulnerabilities and threats. The CPS 234 also ensures that organisations give more attention to vendor risk management so that incidents involving third parties are reduced.

How We Do It

The StickmanCyber team can review your current cybersecurity framework against the requirements of APRA 234, identify and compliance issues and provide recommendations for remediation. We follow a standard 5-step methodology to define compliance goals, plan and execute the steps required, share relevant reports with the right stakeholders, and continuously monitor the scene to ensure compliance.

Graphic showing 5 step methodology - Cyber Security By Design. | StickmanCyber

Apra CPS 234 Checklist


Arm yourself with up-to-date information and insights into building a successful cybersecurity strategy, with blogs and webinars from the StickmanCyber team, and industry experts.

Ready to Improve and Enhance Your Cybersecurity Posture?

Know your exact challenge and want a solution partner? Just starting out on the cybersecurity journey? The StickmanCyber team can help.