CPS 234 is APRA’s prudential standard on information security. It binds banks, insurers and superannuation funds, and through them their third-party providers. Core duties: maintain real security capability, define who owns what, implement and test controls, and notify APRA within 72 hours of a material incident. If you supply a regulated entity, you are in scope by flow-down.
Who CPS 234 actually applies to
The Australian Prudential Regulation Authority (APRA) regulates the entities that hold the country’s deposits, insurance pools and retirement savings. CPS 234 has applied to all of them since 1 July 2019. The list of APRA-regulated entities covers authorised deposit-taking institutions (banks, building societies, credit unions), general and life insurers, private health insurers, and registrable superannuation entity licensees.
If you run one of those, none of this is news. The part that catches Melbourne SMEs out is the flow-down. CPS 234 explicitly requires a regulated entity to manage the information security of the third parties it relies on. The standard says the board of the regulated entity is ultimately responsible for information security, and that responsibility does not evaporate when data or systems are handed to a vendor. So the obligation lands on the regulated entity, and the regulated entity pushes it down the supply chain in the form of contract clauses, security questionnaires and audit rights.
That is how a 25-person fintech in Cremorne, a claims-processing bureau in Box Hill, or a SaaS company that sells loan-origination software to a credit union ends up answering a 200-line security assessment. You are not directly regulated by APRA. But your customer is, and they cannot meet their own CPS 234 obligations unless you can demonstrate you handle their information security to a comparable standard.
The four obligations that matter
Strip away the prudential language and CPS 234 asks regulated entities (and, by extension, the providers they lean on) to do four things.
1. Maintain information security capability commensurate with the threats
This is not a checkbox. APRA wants the size and maturity of your security capability to match the sensitivity of the information you hold and the threat environment you operate in. A provider holding superannuation member data and bank account details is expected to have stronger controls than one handling a low-risk marketing list. Capability here means people, processes and technology — not a firewall and a hope.
2. Clearly define information security roles and responsibilities
Someone has to own this. The standard requires roles and responsibilities for information security to be clearly defined across the board, senior management, governance bodies and individuals. In practice that means a named accountable person, documented responsibilities, and no “we assumed IT was handling it”. For an SME supplier, this is often the single biggest gap — security is everyone’s job, which means it is nobody’s job, until a regulated customer asks who owns it.
3. Implement controls and test them regularly
You must implement information security controls to protect assets, and — this is the part people skip — systematically test the effectiveness of those controls. Testing has to be proportionate to the rate of change in vulnerabilities and threats, the criticality of the assets, and the consequences of a breach. Controls that have never been tested are assumptions, and APRA does not accept assumptions. This is where penetration testing, control reviews and internal audit come in.
4. Notify APRA within 72 hours of a material incident
A regulated entity must notify APRA no later than 72 hours after becoming aware of an information security incident that materially affected, or had the potential to materially affect, the entity or the interests of depositors, policyholders or members. There is also a 10-business-day window to notify APRA of a material information security control weakness the entity cannot remediate in time. For a third-party provider, the practical effect is that your incident at 2am becomes your customer’s regulatory clock. If you sit on a breach for a week, you have blown their 72-hour notification before they even knew.
CPS 234 and CPS 230: how they fit together
CPS 234 does not exist on its own anymore. APRA’s newer operational risk standard, CPS 230, came into force on 1 July 2025, and it widens the lens considerably. Where CPS 234 is squarely about information security, CPS 230 is about operational resilience across the board — operational risk management, business continuity, and the management of material service providers.
The overlap that matters for suppliers is the service-provider piece. CPS 230 requires regulated entities to maintain a register of material service providers, conduct due diligence, manage the risks those providers introduce, and have contracts that meet a defined set of requirements. If you were already feeling the squeeze from CPS 234 flow-down, CPS 230 tightens it: your regulated customers now have a formal, examinable obligation to assess and monitor you as a material service provider.
| CPS 234 | CPS 230 | |
|---|---|---|
| In force | 1 July 2019 | 1 July 2025 |
| Focus | Information security | Operational risk and resilience |
| Key supplier impact | Security control flow-down, incident notification | Material service provider register, due diligence, contract requirements |
| Incident clock | 72 hours to APRA for material security incidents | 72 hours for operational risk incidents |
| What it means for you | Prove your security controls | Prove you are a managed, resilient dependency |
Read together, the two standards say the same thing to a supplier: a regulated customer is now contractually and prudentially obliged to know how you protect their data and how you keep running when something goes wrong. Vague answers cost you the contract.
Why a Melbourne professional-services or fintech SME gets pulled in
We see this pattern across our professional-services and fintech clients. The business has no direct line to APRA, has never read a prudential standard, and assumes compliance is the bank’s problem. Then a deal with an APRA-regulated entity reaches procurement, and the security questionnaire arrives. Suddenly the SME is asked to evidence things it has never documented.
A fintech in Richmond we work with builds reporting tools for a superannuation fund. They had solid engineering and genuinely good security instincts, but nothing written down. The fund’s vendor risk team, working to CPS 234 and now CPS 230, wanted documented roles, evidence of control testing, a tested incident response plan with a 72-hour notification commitment baked into the contract, and proof that access to member data followed least privilege. The technology was fine. The governance evidence did not exist, and that nearly killed the deal.
The flow-down is rarely negotiable. The regulated entity cannot waive its own obligation, so it cannot accept “trust us” from a supplier. If you cannot demonstrate the controls, you do not get added to the approved-vendor register, and the contract goes to a competitor who can.
What to do about it
The good news: meeting the substance of a CPS 234 flow-down is the same work that meets the Essential Eight and most cyber-insurance requirements. You are not building a separate program; you are documenting and testing one. A practical order of operations:
- Assign ownership. Name an accountable person for information security in writing, even if it is the director. This single step answers the most common question on every vendor assessment.
- Document your controls. Map what you actually do — multi-factor authentication, patching cadence, access management, logging, backups — against a recognised framework. The Australian Cyber Security Centre (ACSC) Essential Eight is the most defensible baseline for an Australian SME, and it maps cleanly onto CPS 234’s control expectations.
- Test the controls. Run a penetration test and a control review so you can show evidence, not assertions. CPS 234’s testing obligation is the one suppliers most often fail to evidence.
- Write and rehearse an incident response plan. Include a contractual notification commitment that lets your regulated customer hit their 72-hour APRA deadline. Practise it — a plan nobody has run is the same as no plan.
- Get the contract language right. Expect audit rights, sub-contractor disclosure, data-handling terms and breach-notification timelines. Have these reviewed before you sign.
For most SMEs in this position, the bottleneck is not the technology — it is having the security capability, the documentation and the testing evidence to put in front of a sharp vendor-risk reviewer. That is the work an MSP does day to day. We run this for clients through our cybersecurity services and, where the governance side needs ownership, our virtual CIO function, both backed by 13 Australian-employed engineers and a 24/7 NOC out of Tecoma. Essential Eight alignment and ISO 27001-capable processes mean the evidence is there when the questionnaire lands, not scrambled together the week it is due.
Frequently asked questions
Does CPS 234 apply directly to my business?
Only if you are an APRA-regulated entity — a bank, insurer, private health insurer or superannuation licensee. If you supply one of those, CPS 234 does not bind you directly, but it reaches you through contract flow-down because your customer must manage your information security to meet its own obligation. The practical effect is the same: you have to evidence your controls.
What counts as a material information security incident?
One that materially affected, or had the potential to materially affect, the regulated entity or the interests of its depositors, policyholders or members — for example a breach exposing customer financial data or a ransomware event taking down a critical system. The regulated entity makes that call, but as their supplier your job is to report any incident to them fast enough that they can meet the 72-hour APRA window.
How is CPS 230 different from CPS 234?
CPS 234 is about information security specifically. CPS 230, in force since 1 July 2025, is broader — operational risk, business continuity and the management of material service providers. For suppliers, CPS 230 adds formal due diligence, a material service provider register and stricter contract requirements on top of the CPS 234 security expectations.
How long does it take to get ready for a vendor security assessment?
If your controls are genuinely sound and only the documentation is missing, a focused program of assigning ownership, documenting controls, running a penetration test and writing an incident response plan typically takes weeks, not months. If the underlying controls have real gaps, plan for longer. Either way, start before the deal reaches procurement, not after.
The short version
CPS 234 makes APRA-regulated entities responsible for their own information security and for the security of everyone they hand data to. That responsibility flows down to suppliers as contract terms, questionnaires and audit rights, and CPS 230 has only tightened the grip. If you are a Melbourne professional-services or fintech SME selling into financial services, the requirements will find you whether or not you have read the standard. The fix is to treat security as documented, tested and owned — not assumed. If you want help getting evidence-ready before the next questionnaire arrives, get in touch and we will map where you stand.
