Achieve compliance to APRA CPS 234

The latest Australian Prudential Regulatory Authority (APRA) Prudential Standard CPS 234 (The Standard) which addresses information security, came into effect 1 July 2019. It aims to mitigate the threat of cyber-attacks by ensuring that APRA-regulated entities take appropriate measures to be cyber resilient.

The Standard applies to all APRA regulated entities, which includes authorised deposit taking institutions (i.e. banks), general insurers, life insurance companies, private health insurers, and registrable superannuation entity licensees.

A summary of APRA CPS 234 requirements

A summary of the Standard’s requirements is detailed below. Full details can be found at the APRA site here.

Roles and responsibilities

The Board of an entity is ultimately responsible for the information security of the entity.

Information security capability

An entity must actively maintain an information security capability commensurate with the size, changing nature and extent of threats to its information assets, and which enables the continued sound operation of the entity.

Policy framework

An entity must maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats. The framework must provide direction on the responsibilities of all parties who have an obligation to maintain information security.

Information asset identification and classification

An entity must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity.

Implementation of controls

An entity must have information security controls to protect its information assets, including those managed by related parties and third parties. They must be commensurate with: (a) vulnerabilities and threats to the information assets; (b) the criticality and sensitivity of the information assets; (c) the stage at which the information assets are within their life-cycle; and (d) the potential consequences of an information security incident.

Incident management

An entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner.

Testing control effectiveness

An entity must test the effectiveness of its information security controls, including those of its third parties, through a systematic testing program. It must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.

Internal audit

Internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.

APRA notification

An entity must notify APRA as soon as possible and, in any case, no later than 72 hours after becoming aware of an information security incident that: (a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or (b) has been notified to other regulators locally or abroad.

An entity must APRA as soon as possible and, in any case, no later than 10 business days, after it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner.

How Huntsman Security technology can help

Huntsman Security’s Essential 8 Scorecard and SIEM for Enterprises can help you comply with APRA CPS 234 and improve your cyber security posture.

Measure security control effectiveness with the Essential 8 Scorecard

Huntsman Security’s Essential 8 Scorecard measures the effectiveness of your organisation’s security controls; controls designed to defend against cyber attacks and insider threats. It provides continuous, objective cyber metrics via dashboards and automatically distributed reports to key stakeholders across the business.

Essential 8 Scorecard - Trend Report

Real-time monitoring and APRA notification with Enterprise SIEM

Huntsman Security’s Enterprise SIEM undertakes enterprise wide monitoring to increase the chance of early detection of incidents and support the investigation and confirmation of what has actually occurred. All audit and event logs from affected systems are available for immediate retrieval via drill down from alert. Databases and file shares are monitored to explicitly record type, sensitivity and number of records correlated with any activity suggesting loss such as copying, exporting, editing or deleting.

Huntsman Enterprise SIEM - Incident Dashboard

Find out more about APRA CPS 234 compliance


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.