Lets Have a Chat

APRA CPS 234: A Practical Compliance Checklist for Australian Financial Services

APRA CPS 234: A Practical Compliance Checklist for Australian Financial Services
APRA CPS 234: A Practical Compliance Checklist for Australian Financial Services
APRA CPS 234: A Practical Compliance Checklist for Australian Financial Services
APRA CPS 234: A Practical Compliance Checklist for Australian Financial Services
APRA CPS 234: A Practical Compliance Checklist for Australian Financial Services
  • 26 May, 2026
  • No Comments

If your organisation is regulated by APRA — a bank, insurer, superannuation fund, or other APRA-regulated entity — then CPS 234 is not optional. It is a legally binding prudential standard that requires you to maintain an information security capability commensurate with your risk profile, and to be able to demonstrate that capability to APRA examiners on demand.

This guide breaks down exactly what CPS 234 requires, where most APRA-regulated entities fall short, and what a practical compliance posture looks like — including a checklist you can use as a starting point for your own gap assessment.

What is APRA CPS 234?

Prudential Standard CPS 234 — Information Security — came into force in July 2019 and was significantly strengthened by APRA’s updated enforcement posture following a series of high-profile incidents. It applies to all APRA-regulated entities, including:

  • Authorised deposit-taking institutions (ADIs) — banks, credit unions, building societies
  • Life companies, general insurers, and private health insurers
  • Superannuation (RSE) licensees
  • Non-operating holding companies of APRA-regulated entities

CPS 234 is principles-based, not prescriptive. APRA does not specify which technology controls you must implement — it requires you to have appropriate controls for your risk profile and to be able to demonstrate they are effective. This distinction matters enormously in practice.

Why this matters now: APRA significantly increased its enforcement intensity from 2022 onward. The regulator now expects to see documented evidence of testing programs, third-party risk management, and incident response rehearsals — not just policy documents. Regulated entities that were previously compliant “on paper” are increasingly finding gaps under scrutiny.

The Four Core Obligations of CPS 234

1. Roles and Responsibilities

CPS 234 requires that the Board, senior management, and relevant staff have clearly defined and documented information security responsibilities. APRA expects the Board to have ultimate oversight of information security risk — not just delegate it to IT. In practice, this means:

  • The Board must receive regular information security reporting
  • A senior executive must hold accountability for the information security function
  • Responsibilities must be documented and understood across the three lines of defence

2. Information Security Capability

The entity must maintain an information security capability commensurate with the size, nature, and complexity of threats to its information assets. This includes having policies, controls, processes, and skills sufficient to protect against — and respond to — relevant threats. APRA expects this capability to be proportionate. A large ADI and a small credit union have different expectations, but both must demonstrate active management of their risk.

3. Information Asset Identification and Classification

You cannot protect what you cannot see. CPS 234 requires entities to maintain a complete and current register of information assets, classified by criticality and sensitivity. This asset register must extend to third-party managed assets — meaning if your core banking system or member administration platform is cloud-hosted or outsourced, those assets still fall within scope.

Common gap: Many APRA-regulated entities have internal asset registers but have not extended them to third-party providers and supply chain dependencies. APRA examiners specifically probe this area.

4. Implementation of Controls

Policies and frameworks must be backed by implemented technical and procedural controls. CPS 234 requires that controls be tested to confirm they are operating as intended — not just documented. This is where most entities face their most significant compliance burden: the shift from having a patching policy to demonstrating that patching is occurring within defined timeframes and tested against realistic attack scenarios.

The CPS 234 Notification Obligations

CPS 234 includes mandatory notification requirements to APRA. Entities must notify APRA:

  • Within 72 hours: of becoming aware of an information security incident that has — or has the potential to — materially affect the financial position, operational capabilities, or reputation of the entity or other APRA-regulated entities
  • Within 10 business days: of becoming aware of a material information security control weakness that the entity expects it cannot remediate within the timeframe specified in its policies
  • Annually: Board attestation that the entity’s information security capabilities are commensurate with its risk profile
The 72-hour rule is stricter than most entities realise. The obligation triggers when you become aware of a potential material impact — not when you have confirmed it. This means incident detection, triage, and escalation processes need to be capable of reaching a reportable assessment within the notification window.

Third-Party Risk: The Most Common Compliance Gap

CPS 234 extends your security obligations to third parties who manage information assets on your behalf. You must assess and manage the information security posture of your vendors, and have contractual provisions that allow you to test and audit their controls.

This is the area APRA has scrutinised most heavily in recent years. The specific obligations include:

  • Assessing third-party information security capabilities before and during engagement
  • Maintaining contractual rights to audit or test third-party security controls
  • Maintaining visibility into material incidents at third parties that affect your information assets
  • Ensuring data held by third parties is covered by your classification and protection standards

In practice, this requires a vendor risk management program — not a one-time vendor questionnaire, but an ongoing assessment cycle proportionate to vendor criticality.

The CPS 234 Compliance Checklist

The following checklist covers the main areas APRA examiners assess. It is not exhaustive — your specific requirements depend on your size, risk profile, and the nature of your information assets — but it provides a solid starting framework for a gap assessment.

Governance and Accountability

CPS 234 paragraphs 15–18

Board receives formal information security reporting at defined intervals (minimum quarterly)

Senior executive holds documented accountability for information security

Three lines of defence model applied to information security risk

Roles and responsibilities for information security documented and communicated to relevant staff

Annual Board attestation process in place and submitted to APRA

Information Asset Management

CPS 234 paragraphs 19–21

Comprehensive information asset register maintained and current (updated at least annually or following material changes)

Assets classified by criticality and sensitivity

Register extends to third-party managed assets (cloud, outsourced services)

Owner assigned to each critical information asset

Control Implementation and Testing

CPS 234 paragraphs 22–25

Information security policy suite current, approved, and communicated

Controls tested to confirm operating effectiveness (not just documented)

Penetration testing program covers internet-facing and internal systems at defined intervals

Vulnerability management program active — scanning frequency and patching timeframes documented and met

MFA implemented for all privileged access and remote access

Privileged access management (PAM) controls in place and reviewed at least quarterly

Security monitoring capability active — alerts, logging, and SIEM or equivalent

Data loss prevention controls aligned to asset classification

Backup and recovery tested — not just configured

Third-Party Risk Management

CPS 234 paragraphs 26–29

Vendor register maintained, covering all third parties managing information assets

Pre-engagement security assessment process documented and applied to new vendors

Ongoing security assessments conducted for critical vendors

Contracts with material vendors include audit/test rights and notification obligations

Material vendor incidents trigger internal escalation and potential APRA notification assessment

Incident Response and Notification

CPS 234 paragraphs 30–35

Information security incident response plan documented and tested

72-hour APRA notification process understood, documented, and rehearsed by relevant staff

10-business-day material control weakness notification process documented

Tabletop or simulation exercises conducted at least annually

Post-incident review process in place — findings fed back into control improvement cycle

Where Most APRA-Regulated Entities Fall Short

Based on APRA’s own published findings and Fort1’s work with Australian financial services organisations, the most consistent gaps are:

Testing evidence gaps: Controls are documented but testing evidence is inadequate or out of date. Penetration testing conducted once and not repeated; vulnerability scans run but findings not tracked to closure.
Third-party risk management: Asset registers don’t extend to cloud providers and outsourced services. Vendor contracts don’t include audit rights. Vendor assessments were completed at onboarding but not refreshed.
Privileged access management: Former employee accounts not deprovisioned. Admin accounts used for day-to-day work. Shared credentials across multiple users with no individual accountability.
Notification readiness: 72-hour obligation is understood in principle but not operationalised — no documented escalation path, no trained incident response team, no rehearsed decision criteria for what constitutes a reportable incident.
Board reporting quality: Board receives information security updates, but reporting is activity-focused (number of patches, number of incidents) rather than risk-focused (what the residual risk position is and how it has changed).

CPS 234 and the ACSC Essential Eight

CPS 234 does not mandate the ACSC Essential Eight, but the two frameworks complement each other closely. Essential Eight Level 2 compliance provides a strong technical control foundation that directly addresses many of the control requirements APRA will test against.

For most APRA-regulated entities, the practical approach is:

  1. Use CPS 234 as your governance and accountability framework — Board responsibilities, notification obligations, third-party risk, incident response
  2. Use the ACSC Essential Eight as your technical control implementation framework — MFA, patching, privileged access, backups, application control
  3. Use penetration testing and control assessments to generate the testing evidence both frameworks require
Know your compliance posture before you start: Before beginning a formal CPS 234 assessment, it helps to understand which controls you already meet and where your gaps are. Scoper — Fort1’s free compliance scoping tool — maps your CPS 234 posture across the key control areas in minutes and is a practical first step before any formal assessment. Run a free Scoper assessment →

What a CPS 234 Assessment Looks Like in Practice

An external CPS 234 assessment typically follows this structure:

  1. Document review: Current policies, asset registers, incident response plans, vendor contracts, Board reporting packs
  2. Stakeholder interviews: CIO/CISO, risk and compliance team, IT operations, Board or Board Risk Committee
  3. Control testing: Technical testing of key controls — access management, patching, logging, backup recovery
  4. Gap report: Findings mapped to CPS 234 obligations, with evidence gaps and remediation priorities
  5. APRA evidence package: Documentation structured for examiner review — addressing the specific areas APRA tests

Fort1 conducts CPS 234 compliance assessments as a standalone engagement or as part of a broader compliance advisory program. Our output is designed for practical use — not a theoretical gap list, but a prioritised remediation roadmap with the evidence documentation your Board and APRA need to see.

Start with your dark web exposure — it’s free and takes 5 minutes.

Scoper maps your compliance posture across CPS 234’s core requirements — information security capability, policy framework, incident response readiness, and third-party management. It’s a quick win you can action immediately — and it’s one of the first things we work through in any CPS 234 engagement.

Run a Free Scoper Assessment

Fort1 is an Australian cybersecurity firm based in Sydney. We provide compliance advisory (including APRA CPS 234 and ACSC Essential Eight assessments), penetration testing, and dark web monitoring for Australian financial services firms and other regulated entities. Contact us at info@fort1.com.au or +61 1300 294 089.

Fort1 provides comprehensive cybersecurity solutions tailored to protect your business from evolving digital threats. With expertise in penetration testing, dark web monitoring, and managed detection services, we empower organisations to stay secure and resilient in the face of modern cyber challenges.

Facebook Twitter

About Us

Contact Us

Copyright @2026 Fort1. All Rights Reserved by Fort1.