The prudential standard CPS 234 is a new information security standard that is applicable to APRA-regulated entities in Australia.

To operate in line with the requirements of the CPS 234 standard, organizations must:

• Clearly delineate the information security roles and responsibilities of the Board, senior management, governing bodies, and individuals.
• Maintain an information security framework that matches the size and scope of threats to information assets.
• Implement effective controls to protect information assets based on their criticality and sensitivity and conduct regular testing to verify the effectiveness of these controls.
• Notify APRA of significant information security incidents and control weaknesses.

Firms have until 1 July 2025 to align their information security processes with the APRA 234 standard. The CPS234 changes are therefore mandatory for an APRA-regulated entity from 1 July 2025.

The prudential regulation APRA CPS 234 applies to all APRA-related entities in Australia. It includes many organizations in the financial services industry. According to APRA CPS 234 applies to:

• Authorized deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorized under the Banking Act (authorized banking NOHCs).

• General insurers, including Category C insurers, non-operating holding companies authorized under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups.
• Life companies, including friendly societies and eligible foreign life insurance companies (EFLICs), and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs).

It is important for financial services firms to comply with APRA CPS 234 because many financial services firms in Australia are APRA-regulated making the new CPS 234 requirements mandatory for many financial services organizations.

There are several processes that organizations need to implement to meet CPS 234 APRA requirements to achieve compliance. These include:

• Ensuring the organization has clearly defined roles for cyber security responsibilities with ample board responsibility based on the size of the entity.
• Implementing a best-practice cyber risk management program to detect threats and vulnerabilities.
• Implement effective information security controls and perform regular control testing to check for vulnerabilities.
• Formalize a cyber incident reporting process that enables cyber incidents to be logged and resolved quickly.
• Establish a best-practice third-party risk management program to manage the information security risk associated with vendors and suppliers.
• Keep of log of information security asset types and capture the criticality & impact if the data was compromised.
• Create a formalized IT asset management process to ensure all IT equipment and licences are up to date and meet the required cybersecurity standards.
• Create and maintain effective cyber security policies and procedures.
• Have a process in place to report any information security incidents or control defects to APRA within the designated timeframes.
• Conduct regular internal audits to assess the design and operating effectiveness of information security controls and third-party IT compliance.

The key features of CPS 234 software include:

• Automated workflows and notifications
• Customizable online forms
• Searchable registers and logs
• Dashboards & reports
• API integrations with other data sources and systems
• Best-practice IT security compliance templates
• Integrations with third-party risk intelligence providers

The key features of APRA aligned CPS 234 software include:

• Cyber & IT Risk Management
• A cyber controls library, control testing, and monitoring
• Cyber incident management
• An obligations library to monitor compliance with relevant information security regulations and standards including CPS 234
• Third-Party risk management
• Policy Management
• Asset management
• Cyber audit capabilities

Organizations should:

• Implement a best-practice cyber risk management program to identify, assess and manage cyber risks, with effective internal controls, monitoring, control testing, and remediation plans.
• Implement a third-party risk management program to effectively manage the cyber risks associated with vendors including a service provider management policy, formal agreements, and robust monitoring.
• Create a cyber incident reporting process with clear escalation routes and workflows to ensure swift resolution.
• Create an asset management log to easily be able to report on aging IT equipment and expired licences.
• Create a data classification log to capture information assets and the impact if they were compromised.
• Create a formal process to notify APRA of any information security incidents of control failures within the required timelines.
• Establish an internal audit process to revise the design and effectiveness of information security controls and to ensure compliance with APRA CPS 234 requirements – with clear routes to implement remedial measures and address issues.

Firms should establish a best-practice third-party risk management program using CPS 234-compliant software. A GRC platform with vendor risk management capabilities will allow you to create a comprehensive vendor register that captures essential details such as vendor contracts, costs, key contacts, SLAs, and KPIs. You can easily monitor supplier performance, perform benchmarking & score carding (with integrations from risk intelligence providers), and conduct regular online vendor risk assessments through a central online vendor portal. Real-time dashboards and reports provide a complete view of your cyber risk exposure from vendors.

When selecting a CPS 234 compatible software platform to meet the regulatory requirements of CPS 234, leaders must consider:

• Does the platform offer sufficient capabilities to manage CPS 234 APRA requirements? – Look for a platform that offers cyber risk management, controls and control and vulnerability testing, cyber incident management, third-party risk management, asset management, policy management and other supporting functionality such as compliance and audit capabilities out-of-the-box.
• Can the CPS 234 platform be implemented in a way that meets the specific requirements of your organization?
• Can the cyber risk management capabilities scale with your firm as your needs expand and your IT GRC program matures – look for solutions that enable you to align cyber risk management with the relevant, controls, policies, procedures, audits, assets, and information security compliance obligations.
• What data privacy practices & security features does the CPS 234 tool offer as standard, and does it align with your internal IT requirements?
• Does the CPS 234 compatible software link to your other internal systems and data sources via APIs to pull relevant data into and out of the platform to ensure a single source of truth for cyber risk data – cutting out data input errors?

The benefits of using a GRC platform to manage CPS 234 requirements include:

• A reduction in time spent on cyber risk reporting, data aggregation, and administration tasks.
• GRC and cyber risk platforms provide a centralized view of cyber risk across the entire enterprise enabling you to take proactive measures and implement sufficient controls.
• Governance, Risk & compliance solutions enable the entire organization to understand CPS 234 requirements and actively participate in complying with the guidelines – completing cyber risk and control related tasks and logging and resolving cyber incidents as part of their daily role. This creates ample cyber risk data to inform business decision-making and provide proof of CPS 234 compliance.
• IT GRC solutions generate better visibility of an organizations cyber risk profile and many offer cyber incident reporting, asset management, compliance, policy management, ESG, business continuity, operational resilience, project risk management, and supply chain & third-party risk management in the same platform for a complete IT GRC process.
• CPS 234 enabled cyber risk platforms reduce the costs associated with cyber risk monitoring and reporting.
• CPS 234 compatible software platforms improve an organizations’ approach to cyber risk management, by facilitating crucial links between cyber risk management, cyber incidents, compliance violations, audit outcomes, assets, and policies.
• IT GRC solutions support firms to carry out adequate due diligence to provide proof of CPS 234 compliance to regulators.

• Poor quality cyber risk data due to a lack of data governance & data entry errors.
• Capturing cyber risk and incident data across various forms and spreadsheets creates data input problems like copy & paste errors, over written data, and incomplete fields.
• Disparate cyber risk and incident data held in dispersed, unintegrated spreadsheets creates poor quality data, and an inconsistent risk framework that results in distorted reporting outputs – causing problems with CPS 234 compliance.
• Relying on manual processes that lack automation slows down the cyber risk escalation and remediation process, allowing cyber risk to escalate to intolerable levels, leaving companies struggling to meet CPS 234 guidelines.
• Manual ad hoc processes affect compliance with CPS 234 – making it hard for firms to prove they are meeting requirements due to a lack of documented evidence.
• Disjointed processes and siloed data make it difficult to link cyber risks to the relevant controls and incidents, audits, and assets, causing gaps in CPS 234 compliance.
• Firms are unable to compare cyber risk & incident data across different sites due to inconsistent risk frameworks and siloed data. This makes it hard to make risk-based decisions and provide proof of CPS 234 compliance across departments and sites.