In November 2018, the Australian Prudential Regulation Authority (APRA) released the Prudential Standard CPS 234 in direct response to the escalating attack landscape in the financial sector. APRA has understood these threats to be the direct result of banking services moving to more complex and heavily used digital platforms. The new Standard emerged as an offshoot to the Notifiable Data Breach Scheme, which came into effect in early 2018. With the advent of online services and new entities such as neobanks, these controls have now become critical. CPS 234 ensures that APRA-regulated entities have implemented sufficient protections to guarantee information security across the computing platform.

CPS 234 applies to any entity that is regulated by APRA. These include:

  • Banking organizations, neobanks, credit unions, or any other Authorized Deposit Institutions (ADI).
  • Insurance companies.
  • Superannuation Funds.
  • Private health insurance companies.
  • Non-operating holding companies.
  • Life companies and friendly societies.

CPS 234 is not limited to domestic entities. It is applicable to foreign entities as well, namely:

  • Foreign ADIs
  • Foreign General and Eligible Foreign Life Insurance Companies (EFLICs)

CPS 234 commenced in July, 2019. This means that if an organization’s information assets are managed by a third party, they must make sure any new contracts are CPS 234 compliant. For any existing contracts, organizations were given a one-year grace period to move those contracts into compliance.

Who Is Responsible for CPS 234 Compliance?

The responsibility to ensure compliance with CPS 234 ultimately falls on the Board of Directors of these APRA-regulated entities. This means that the Board must ensure that the entity maintains information security in a manner consistent with the size and extent of the threats to its information assets.

What Are the Key Requirements?

Some of the broader requirements of CPS 234 are: