Cyber-attacks are a real and growing risk, with the ability to profoundly impact an organisation’s operations. APRA’s new Prudential Standard CPS 234 is geared at lessening regulated entities’ vulnerabilities, and requires those entities to beef up their information security management. If you’re racing against the clock, read on for some last-minute guidance…


With just under a month to go until the new APRA Prudential Standard CPS 243 (CPS 234) comes into effect, APRA regulated entities should be reviewing their information security management framework to ensure compliance.

Commencing on 1 July 2019, CPS 234 is geared at bolstering the resilience of APRA-regulated entities against cyber-attacks and other information security incidents. It will require regulated entities to take a proactive approach to managing such risks, and to maintain information security capabilities that reflect the significance of the data they hold and the impact of potential threats.

Who needs to comply?

CPS 234 will apply to ‘APRA regulated entities,’ which includes authorised deposit-taking institutions, general insurers, life insurance companies, private health insurers and registrable superannuation entity licensees.

Key requirements

The key requirements of CPS 234 are that APRA regulated entities must:

  • clearly define the information security roles and responsibilities of the Board, senior management, governing bodies, and certain individuals within the entity (noting that the Board will have ultimate accountability for the entity’s information security);
  • implement and maintain an information security capability which is commensurate with the size and extent of threats to the entity’s information assets;
  • classify the entity’s information assets by criticality and sensitivity (including those managed by third parties);
  • implement and maintain information security policies, standards, guidelines and procedures, again as commensurate with the entity’s exposure to vulnerabilities and threats;
  • implement robust mechanisms and information security response plans to promptly detect and respond to information security incidents;
  • undertake regular testing of information security controls, performed by appropriately skilled and functionally independent specialists;
  • ensure that internal audits review the effectiveness and design of all information security controls (including the controls of any third parties which manage information assets); and
  • notify APRA within 72 hours of becoming aware of certain security incidents (actual or potential), and within 10 business days of becoming aware of certain security control weaknesses.

It’s worth noting that where an entity’s information assets are managed by a third party, a transitional period is provided – that is, the requirements of CPS 234 will not apply to those information assets until either the next renewal date for the relevant third party contract or 1 July 2020 (whichever is earlier).

Are we prepared?

With less than a month to go, all APRA regulated entities should be confirming that robust measures have been implemented to ensure compliance with the above requirements.

As the board, senior management, audit and operational functions of an entity will be directly (and in some cases, significantly) impacted by CPS 234, it’s worth investing the time now to make sure everything is in place.

If you would like further information or have any questions, please contact us.

This is for general information only and formal legal advice should be sought on matters of interest arising from this article.


Email: [email protected]
Mobile: +61 413 336 990

Email: [email protected]
Mobile: +61 431 270 591