Skip to main content

APRA Standard CPS 234 is a prudential standard created by the Australian Prudential Regulation Authority (APRA) to enhance the cybersecurity capabilities of Australia’s financial services industry. The standard aims to ensure that APRA-regulated entities are better equipped to manage cybersecurity risks and protect themselves and their customers from cyber threats.

Adam Zani
Adam Zani

Director | Australia and New Zealand

APRA 5 steps


Who is affected by CPS 234?

APRA is the regulatory body responsible for overseeing the prudential regulation of banks, insurers, and superannuation funds in Australia.

APRA Standard CPS 234 therefore primarily affects APRA-regulated entities, including:

  • authorised deposit-taking institutions (ADIs) (banks, building societies, and credit unions);
  • general insurance companies;
  • life insurance companies;
  • private health insurers; and
  • superannuation funds (i.e., managed investment schemes that invest in retirement savings).

These entities are required to comply with CPS 234 and implement the necessary measures to strengthen their cybersecurity capabilities.

What does APRA mean to achieve with CPS 234?

APRA’s intention is to ensure that the entities it regulates maintain robust cybersecurity capabilities to protect themselves and their customers from cyber threats. These regulated entities must:

  • either enhance existing cybersecurity governance measures or establish a robust cybersecurity governance framework to oversee and manage cybersecurity risks effectively;
  • implement information security controls to protect their information assets from unauthorised access, disclosure, alteration, or destruction;
  • have effective incident response capabilities and plans in place to respond promptly and effectively to cybersecurity incidents and breaches;
  • enhance their data management and third-party risk management (TPRM), by ensuring their own people manage data effectively and that their third-party service providers adhere to the same high cybersecurity standards.

What are the penalties for non-compliance?

APRA has a range of options when it comes to penalising non-compliance, including (but not limited to):

  • Financial penalties, which can be significant and may vary depending on the nature and severity of the non-compliance.
  • Enforcement actions, which can include public censures, fines, or other disciplinary actions.
  • Requirement to undertake specific remedial actions to address the deficiencies and strengthen the entity’s cybersecurity capabilities.
  • Reputational damage, as APRA will publicise the names of entities found to be non-compliant. This could harm a firm’s ability to attract customers or do business in the future.

Whichever jurisdiction you’re in and whoever your regulator is, if you are worried about the growing cyber threats facing your firm, and about the ever-changing regulatory requirements, contact me or the team to find out more about what we can do to help you.


Orbit Intelligence

Orbit Intelligence

Centralise your monitoring and reporting, access Thomas Murray risk assessments and third-party data feeds.

Learn more