CPS 234 Information Security Guide: What APRA Expects From Your Cyber Defences

Updated March 2026 | 9 min read | By GoComply

APRA Prudential Standard CPS 234 (Information Security) requires all APRA-regulated entities to maintain information security capability commensurate with the threats they face. It's the standard that led to Medibank's $250 million capital charge — and APRA is actively enforcing it.

Get instant CPS 234 answers from GoComply's AI chatbot — covers every paragraph with clause references.

Why CPS 234 Matters Now

CPS 234 commenced on 1 July 2019, but enforcement has accelerated dramatically since the Medibank breach in October 2022. APRA has made it clear that CPS 234 compliance is not optional — and capital charges are the enforcement tool of choice.

Enforcement precedent: In 2022-2023, APRA imposed a $250 million additional capital charge on Medibank following a data breach affecting 9.7 million customers. This was the first major CPS 234 enforcement action and signals APRA's approach to information security failures.

Key Requirements

1. Information Security Capability

An entity must maintain an information security capability commensurate with the size and extent of threats to its information assets. This means:

Information security resources (people, budget, tools) proportionate to risk
Qualified information security personnel
Board and senior management awareness of information security risks

2. Roles and Responsibilities

The entity must clearly define the information security-related roles and responsibilities of:

The Board
Senior management
Governing bodies (e.g., security steering committee)
Individuals with information security responsibilities

3. Information Security Framework

An entity must maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats. The framework must be reviewed at least annually.

4. Information Asset Management

Entities must classify information assets by criticality and sensitivity, and implement controls commensurate with their classification. This includes assets managed by related parties and third parties.

5. Control Implementation

Information security controls must be implemented to protect information assets commensurate with their criticality and sensitivity, and with the stage of their lifecycle. Controls must cover:

Physical and environmental security
Access management (authentication, authorisation)
Data protection (encryption, data loss prevention)
Network security
Vulnerability management and patching

6. Incident Management

Entities must have mechanisms to detect and respond to information security incidents in a timely manner.

7. The 72-Hour Notification Rule (Paragraph 36)

This is the most critical operational requirement:

An entity must notify APRA of material information security incidents
Notification must occur as soon as possible and no later than 72 hours after becoming aware
"Material" means incidents that could materially affect the entity's operations, depositors, policyholders, or beneficiaries
Note: CPS 234 incident notifications satisfy CPS 230's operational incident notification for information security events

8. Control Testing

An entity must test the effectiveness of its information security controls through a systematic testing program. Testing frequency must be commensurate with:

The rate of change in vulnerabilities and threats
The criticality and sensitivity of the information asset
The consequences of an information security incident
The risks associated with exposure to environments where the entity is unable to enforce its information security policies

9. Internal Audit

The entity's internal audit function must review the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.

CPS 234 and Third Parties

A critical area that many entities underestimate. Where an entity's information assets are managed by a related party or third party, the entity must:

Assess the information security capability of the third party
Ensure the third party's controls are commensurate with the entity's information security requirements
Actively manage the security risks associated with the third-party arrangement

This intersects directly with CPS 230's service provider management requirements.

Compliance Checklist

Information security policy framework reviewed annually
Information assets classified by criticality and sensitivity
Security controls proportionate to asset classification
Roles and responsibilities clearly defined (Board through to operational)
Systematic control testing program in place
Incident detection and response capability operational
72-hour APRA notification process documented and tested
Third-party security assessments current
Internal audit review of information security controls
Board reporting on information security posture

Related Standards

CPS 230 — operational risk (cyber incidents are operational risk events)
CPS 220 — risk management (information security risk within the RMF)
CPG 234 — APRA's guidance note on CPS 234 implementation
Privacy Act 1988 — notifiable data breaches (separate regime, both may apply to the same incident)
FAR Act 2023 — accountable persons must have CPS 234 responsibilities allocated

Get instant CPS 234 answers

Ask any question about information security requirements, incident notification, or control testing.

Try the AI chatbot free

This guide is for informational purposes. Consult qualified cybersecurity and compliance professionals. GoComply chatbot covers CPS 234 and 36 other Australian regulations.