Is your organisation ready for APRA’s new information security measures?

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

Prudential Standard – CPS 234

This article was written by Patrick Gunning and James McGrath.

On 7 November 2018 APRA released the final version of Prudential Standard CPS 234 Information Security (CPS 234) and a response paper to submissions received during the consultation period titled Response to Submissions - Information security: Cross-industry prudential standard'. The new standard will commence on 1 July 2019.

CPS 234 is the first Australian prudential standard to specifically address information and cyber security, indicating that APRA now considers it sufficiently important to warrant a separate standard backed with the force of law. By developing a distinct prudential standard for information security, APRA has expressed a clear intention to ensure the resilience of Australia's finance industry and minimise the likelihood and impact of information security incidents.

Unlike a "practice guide", compliance with a prudential standard is mandatory for entities regulated under the Banking Act 1959 (Cth), Insurance Act 1973 (Cth), Life Insurance Act 1973 (Cth), Private Health Insurance (Prudential Supervision) Act 2015 (Cth) and Superannuation Industry (Supervision) Act 1993 (Cth).

We previously summarised the draft CPS 234 and set out the background and purpose of CPS 234. Read more about the draft prudential standard here.

Recent updates

Since the draft prudential standard was released on 7 March 2018, APRA received 39 "generally supportive" submissions. However, the final version released last week contained some key amendments, including:


In response to concerns in relation to onerous and unachievable timeframes for notifying APRA of information security incidents, CPS 234 allows regulated entities a period of up to 72 hours to notify APRA after becoming aware of an information security incident (previously this was 24 hours after experiencing an information security incident). The extended timeframe aligns the Australian regime with breach notification timeframes under the EU General Data Protection Regulation (GDPR). Further, regulated entities will benefit from a period of ten business days to notify APRA after it becomes aware of a material information security control weaknesses which it expects it will not be able to remediate in a timely manner (previously this was five business days).

Third party arrangements

APRA's stated intention is to subject all information assets to the same level of requirements, regardless of whether a regulated entity's information assets are managed internally or by a third party. CPS 234 now expressly applies to all information assets managed by related parties and third parties, not only those captured under agreements with service providers of outsourced material business activities. This includes all "downstream providers" in the supply chain (ie subcontractors and sub-subcontractors etc).

Transitional arrangements

To enable regulated entities with information assets managed by third parties (such as outsourcing contracts) to review, renegotiate and amend those agreements, a transitional period has been introduced. Those will have until earlier of the next renewal date of the contract with the third party (which occurs on or after 1 July 2019) or 1 July 2020 to ensure that the information assets are managed in accordance with CPS 234. 

Checklist of requirements

Authorised deposit taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities and authorised or registered non-operating holding companies will be subject to CPS 234.

Obligations on entities under CPS 234 include:

Allocating responsibilities

Clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals.

Creating a policy framework 

Maintain an information security policy framework which provides direction on the responsibilities of parties and is commensurate with the entity's exposures to vulnerabilities and threats.

Assigning board responsibility 

The board is ultimately responsible for information security and must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets and which enables the continued sound operation of the entity. 

Commencing third party assessment

Assess the information security capability of related parties or third parties managing information assets, commensurate with the potential consequences of an information security incident affecting those assets.

Classifying information 

Implement robust mechanisms to detect and respond to information security incidents in a timely manner, including all relevant stages of an incident and escalation and reporting of information security incidents.

Reviewing incident management plans 

Review and test information security response plans to ensure they remain effective and fit-for-purpose.

Review the design and operating effectiveness of information security controls, including those maintained by related parties and third parties.
Notifying APRA
 Notify APRA:
  • as soon as possible (and no later than 72 hours) after becoming aware of an information security incident;
  • as soon as possible (and no later than 10 business days) after becoming aware of a material information security control weakness which is expected to not be able to be remediated in a timely manner.

What's next?

CPS 234 commences on 1 July 2019, subject to the transitional arrangements.  

In the near future, APRA will also undertake consultation on an updated cross-industry prudential practice guide on information security, which will replace the current Prudential Practice Guide CPG 234 Management of Security Risk in Information and Information Technology.

The Federal Court has refused an application to stay proceedings to quantify compensation for patent infringement (quantum proceedings) pending the outcome of separate parallel proceedings challenging the validity of the infringed patent on new grounds. The case is significant as intellectual property cases are regularly bifurcated with liability determined separately damages or an account of profits. A patentee may also bring consecutive infringement cases and therefore have two separate cases considering invalidity issues for the same patent running in parallel.

03 August 2022

Since the introduction of a nationwide Marketing Authorization Holder (MAH) system in 2019, licenses have linked directly to therapeutic products rather than manufacturers.

03 August 2022

The Bill is one of the first items of legislative change introduced by the Government in the industrial relations sphere, reflecting one of several election promises made under the “Secure Australian Jobs Plan”.

03 August 2022