APRA Prudential Standard CPS 234
APRA's information-security prudential standard requiring regulated entities to maintain information-security capability commensurate with the threats they face.
What CPS 234 actually is.
CPS 234 applies to all APRA-regulated entities - banks, insurers, superannuation trustees and other RSE licensees. It imposes five core obligations: clear roles and responsibilities, an information-security capability commensurate with threats, implementation of controls to protect information assets, testing of controls, and notification to APRA of material information-security incidents within 72 hours. Boards are ultimately accountable for information security under the standard.
All APRA-regulated entities, including ADIs, foreign ADIs, general insurers, life insurers, private health insurers, superannuation trustees and RSE licensees.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Roles and responsibilities
Clearly define information-security roles, including those of the board, senior management, governing bodies and individuals.
-
02
Information-security capability
Maintain a capability commensurate with the size and extent of threats, and the criticality and sensitivity of information assets.
-
03
Policy framework
Maintain an information-security policy framework that directs the behaviour of personnel and third parties.
-
04
Implementation of controls
Implement controls that are adequate and appropriate to protect information assets against vulnerabilities and threats.
-
05
Testing
Systematically test the effectiveness of controls and apply the results.
-
06
Incident notification
Notify APRA within 72 hours of information-security incidents that have or could have a material impact.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
APRA Prudential Standard CPS 234
apra.gov.au/information-security
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against CPS 234.
Assessment, engineering and operational services that line up with the framework's control areas.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Penetration Testing
Find it before the attackers do - CREST-certified engagements that deliver actionable findings, not compliance checkboxes.
Red & Purple Team Operations
Intelligence-led adversary simulation measured in MITRE ATT&CK coverage, detection latency and response gaps - not CVSS scores.
ISO 27001 Compliance & Audits
Implement, certify and maintain the international standard for information security management - end-to-end across the three-year cycle.
Virtual CISO
Fractional security leadership embedded with your executive team.
Where CPS 234 shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.