top of page
Glass Buildings

APRA CPS 234 Compliance

Go digital with confidence in financial services.

The financial services industry has driven the adoption of digital technology faster than any industry segment.


Digital enables new customer experiences, new products and services, greater reach and lower transaction costs.

It's also created opportunity for cyber criminals to commit financial and identity theft. Reducing your cyber risk profile starts with understanding your current state of readiness - your people, your infrastructure and your processes. CPS234 compliance testing isn't the complete solution, but it is a mandatory step towards better cyber security for APRA regulated entities.   

Who needs to comply?

CPS 234 applies to all APRA-regulated entities including:

  • Authorised deposit-taking institutions (ADIs). This includes foreign ADIs, credit unions, banks, and non-operating holding companies authorised under the Banking Act

  • General insurers, including Category C insurers, non-operating holding companies authorized under the Insurance Act, and parent entities of Level 2 insurance groups

  • Life companies, including friendly societies, eligible foreign life insurance companies and non-operating holding companies registered under the Life Insurance Act

  • Private health insurers registered under the PHIPS Act

  • General insurers

  • RSE licensees under the SIS Act in respect to their business operations

  • Superannuation funds

Importantly, for APRA regulated companies that utilise third-party services,  CPS 234 also apply to those information systems and assets, kindling cloud service providers.

What are my responsibilities?

Whilst not an exhaustive list, broadly speaking CPS 234 requires APRA-regulated entities to:

  • Define information security-related roles and responsibilities of the Board, senior management, governing bodies &  individuals

  • Maintain an information security capability appropriate to the threat to its information assets, and which enables the continued operation of the entity

  • Implement controls to protect its information assets appropriate to the criticality & sensitivity of those assets, and to undertake ongoing testing and assurance regarding the effectiveness of those controls

  • Notify APRA of material information security incidents


These key requirements are then further broken down into eight broad categories:

  1. Information security capabilities

  2. Policy frameworks

  3. Information asset identification & classification

  4. Implementation of appropriate information security controls

  5. Security incident management

  6. Testing of the effectiveness of controls

  7. Internal audits

  8. APRA notifications

Where can I go for help?

Ionize has helped some of Australia's most trusted brands obtain and retain their CPS 234 requirements and our experience can help guide your business to a solution that's appropriate for your unique circumstances. 

Finally, even if you're not sure of your CPS 234 compliance requirements or status, there's no reason not to get started with good cyber hygiene. 

Ionize recommends every business implement basic cyber security best-practices;

  • ensure you're up-to-date with vendor supplied security patches for your devices and software to close off the well-known methods of attack

  • implement two-factor authentication services (2FA) to minimise the chances of stolen password attacks being successful

  • implement end-point device security protection such as anti-virus software to protect your staff and customers from falling victim to common attacks 

Finally, give us a call or reach out through our Chat facility on on our website - we're happy to help. 

bottom of page