Compliance — APRA CPS 234
APRA CPS 234 compliance
for regulated entities.
Cliffside works with financial institutions and insurance companies to meet APRA's information security requirements. We understand the regulator's expectations, the practical challenges of implementation, and the overlap with ISO 27001 and Essential Eight — so you don't duplicate effort across compliance frameworks.
Information security isn't optional for APRA-regulated entities.
APRA Prudential Standard CPS 234 requires APRA-regulated entities to maintain an information security capability commensurate with the size and extent of threats to their information assets. It applies to all authorised deposit-taking institutions (ADIs), general insurers, life insurers, and private health insurers.
Unlike ISO 27001, CPS 234 is a mandatory prudential standard — non-compliance can result in regulatory action. The standard requires entities to clearly define information security roles and responsibilities, maintain sufficient capability, implement controls proportional to risk, and notify APRA of material incidents and control weaknesses.
Common compliance gaps we see.
Most regulated entities understand their obligations in principle. The challenge is translating CPS 234's principles-based requirements into concrete, demonstrable controls. Common gaps include insufficient testing of controls, unclear third-party risk obligations, inadequate internal audit coverage, and incident notification procedures that don't meet APRA's 72-hour and 10-day timelines.
The biggest risk is treating CPS 234 as a standalone exercise. There is significant overlap with ISO 27001, Essential Eight, and your existing risk management frameworks. We help you leverage that overlap so you're not building parallel compliance programmes.
Key requirements
CPS 234 — the core obligations.
Clearly defined information security roles for the Board, senior management, governing bodies, and individuals. The Board is ultimately responsible for the entity's information security.
Maintain capability commensurate with the size and extent of threats — including skilled personnel, sufficient resources, and access to appropriate tools and technologies.
Classify information assets by criticality and sensitivity. Maintain controls proportional to each asset's classification and the threats it faces.
Maintain an information security policy framework that is reviewed at least annually and provides direction on all key areas of information security management.
Systematically test the effectiveness of information security controls through a programme of testing. Testing must be performed by appropriately skilled and independent specialists.
Establish mechanisms to detect and respond to information security incidents. Notify APRA within 72 hours of becoming aware of a material incident, with a follow-up report within 10 business days.
Internal audit must review the design and operating effectiveness of information security controls, including those managed by third parties and related parties.
Evaluate the information security capability of third parties managing information assets. Ensure contractual arrangements address your security requirements and right to audit.
Our services
How Cliffside helps with CPS 234.
A comprehensive assessment of your current information security posture against all CPS 234 requirements. We identify genuine gaps, prioritise remediation by risk, and produce a roadmap that maps to your existing compliance efforts — including ISO 27001 and Essential Eight.
We design and help implement the controls required to meet CPS 234 obligations — from information asset classification frameworks to incident response procedures and APRA notification processes. Built to work within your existing governance structure.
CPS 234 requires independent testing of information security controls. Our OSCP and CREST certified testers deliver the technical testing your internal audit programme requires — penetration testing, vulnerability assessment, and control effectiveness reviews.
Clear, executive-level reporting that satisfies APRA's expectations for Board oversight. We help you build reporting frameworks that give your Board meaningful visibility into information security risk — not just compliance status.
Who we work with
APRA-regulated entities across Australia.
Authorised deposit-taking institutions — from major banks to credit unions and building societies — meeting their CPS 234 obligations.
General insurance companies managing complex information assets across underwriting, claims, and distribution channels.
Life insurers and private health insurers protecting sensitive personal and health information under APRA's prudential framework.
Understand your CPS 234 position.
Start with an honest assessment of where you stand. We'll identify the gaps that matter, map the overlap with your existing frameworks, and give you a practical path to compliance.