---
url: 'https://www.corbado.com/blog/cps234'
title: 'How to stay compliant with CPS 234 in 2026?'
description: 'Learn about APRA CPS 234, its requirements, and how to ensure compliance with robust cybersecurity practices to safeguard critical information assets'
lang: 'en'
author: 'Vincent Delitz'
date: '2025-01-02T10:10:04.680Z'
lastModified: '2026-03-27T07:01:05.520Z'
keywords: 'cps234, Prudential Standard CPS, CPS compliance'
category: 'Passkeys Strategy'
---

# How to stay compliant with CPS 234 in 2026?

## Key Facts

- **CPS 234** mandates APRA-regulated entities to maintain information security
  capabilities commensurate with evolving threats, with the Board of Directors holding
  ultimate compliance responsibility.
- Australian financial institutions managing assets exceeding **6.5 trillion AUD** are
  subject to CPS 234, covering banks, insurers, superannuation funds and third-party
  vendors.
- **Material security incidents** must be reported to APRA within 72 hours; material
  control weaknesses require a separate notification within 10 business days.
- **Third-party vendor oversight** is a core CPS 234 obligation, requiring due diligence,
  contractual security provisions and periodic risk assessments for all parties managing
  information assets.
- CPS 234 defines **eight compliance areas** spanning information security capability,
  policy framework, asset classification, control implementation, incident management,
  control testing, internal audit and APRA notification.

## 1. Overview of APRA Prudential Standard CPS 234

The **Prudential Standard CPS 234 Information Security** (CPS 234) was introduced by the
Australian Prudential Regulation Authority (APRA) to address the growing threat of
cyberattacks in the financial sector. Its primary aim is to ensure APRA-regulated entities
maintain robust information security measures to mitigate the risk of information security
incidents, including cyberattacks.

APRA's mission is to enforce prudential standards that support a stable, efficient, and
competitive [financial services](https://www.corbado.com/passkeys-for-banking) sector, ensuring financial
promises made by its regulated entities are met under all reasonable circumstances. CPS
234 exemplifies this mission by mandating entities to establish and maintain information
security capabilities commensurate with the evolving landscape of security
[vulnerabilities](https://www.corbado.com/glossary/vulnerability) and threats.

This article will cover all important information regarding the compliance with CPS 234
in 2025.

## 2. Why is CPS 234 important?

CPS 234 plays a crucial role in safeguarding Australian businesses by ensuring resilience
against cyber threats and other security risks. It also requires entities to respond
promptly to significant security incidents, such as data breaches.

Cyberattacks targeting financial institutions have become increasingly sophisticated,
driven by the potential for financial gain and access to sensitive data, including
personally identifiable information (PII) and protected health information (PHI).
Financial institutions, which manage assets exceeding $6.5 trillion, are particularly
attractive to attackers.

The rise in third-party vendor reliance within the superannuation,
[banking](https://www.corbado.com/passkeys-for-banking), and [insurance](https://www.corbado.com/passkeys-for-insurance) sectors has
amplified these risks. Consequently, [stakeholders](https://www.corbado.com/blog/passkeys-stakeholder) demand
higher standards of information security to protect critical information assets.

By enforcing rigorous security measures and vendor risk management practices, CPS 234 aims
to reduce the frequency and impact of cybersecurity incidents, ultimately enhancing the
resilience of the financial sector.

## 3. Who is subject to CPS 234?

CPS 234 applies to all APRA-regulated entities, including:

- **Authorized deposit-taking institutions (ADIs)** such as banks, credit unions, and
  foreign ADIs
- **General insurers**, including non-operating holding companies and parent entities of
  Level 2 [insurance](https://www.corbado.com/passkeys-for-insurance) groups
- **Life insurance companies**, friendly societies, and eligible foreign life insurers
- **Private health insurers**
- **Superannuation funds** and RSE licensees

The standard also extends to information assets managed by third-party vendors, requiring
these parties to comply with CPS 234 mandates.

## 4. Governance and Responsibility

The **Board of Directors** holds ultimate responsibility for CPS 234 compliance. Boards
must ensure that their organizations maintain robust information security aligned with the
scale of risks to their information assets. While the Board may delegate responsibilities,
it must clearly define expectations for engagement, risk escalation, and reporting.

Entities are required to establish clearly defined roles and responsibilities for all
[stakeholders](https://www.corbado.com/blog/passkeys-stakeholder) involved in information security, including
senior management, governing bodies, and operational teams. These roles are supported by
role statements, policies, reporting lines, and governance charters to avoid ambiguity and
ensure accountability.

Effective oversight requires non-technical [stakeholders](https://www.corbado.com/blog/passkeys-stakeholder) to
receive comprehensible reports supplemented by analysis of business implications, ensuring
informed decision-making.

## 5. What are the Key Requirements of CPS 234?

CPS 234 outlines critical requirements to ensure comprehensive information security. These
include:

1. **Information Security Capability**\
   Entities must maintain capabilities proportional to the size and nature of threats to
   their information assets, actively adapting to evolving risks and
   [vulnerabilities](https://www.corbado.com/glossary/vulnerability).

2. **Policy Framework**\
   An information security policy framework must define roles, responsibilities, and
   security practices for all stakeholders, including contractors and third-party vendors.

3. **Information Asset Identification and Classification**\
   Information assets must be classified by their sensitivity and criticality to
   prioritize protection measures.

4. **Control Implementation**\
   Security controls must be designed, tested, and maintained throughout the lifecycle of
   information assets.

5. **Incident Management**\
   Entities must have robust mechanisms to detect, respond to, and recover from
   information security incidents.

6. **Control Testing**\
   Regular and systematic testing must validate the effectiveness of security measures.

7. **Internal Audit**\
   Independent audits must assess the adequacy of information security controls and
   provide assurance to the Board.

8. **APRA Notification**\
   Material security incidents or weaknesses must be reported to APRA within specified
   timeframes.

## 6. How to Achieve Compliance with CPS 234

To comply with CPS 234, entities need to develop and implement a robust security framework
that addresses the standard's key requirements. This involves aligning organizational
processes, resources, and technologies with the demands of evolving cybersecurity threats.
Key steps include:

### 6.1 Establishing and Maintaining Adaptive Security Capabilities

- Conduct regular assessments of the organization's resourcing, including funding,
  personnel, and access to specialized skill sets.
- Implement a dynamic control environment that evolves with emerging threats,
  [vulnerabilities](https://www.corbado.com/glossary/vulnerability), and business changes.
- Ensure continuous training for staff involved in cybersecurity to maintain awareness of
  current risks and mitigation strategies.

### 6.2 Identifying and Classifying Information Assets

- Develop an inventory of all information assets, including those managed by third-party
  vendors.
- Categorize assets based on their criticality and sensitivity to prioritize security
  measures.
- Use tools like configuration management databases (CMDBs) to maintain up-to-date asset
  relationships and dependencies.

### 6.3 Enhancing Vendor and Third-Party Oversight

- Conduct due diligence on third-party vendors to ensure their security practices align
  with CPS 234 requirements.
- Establish clear contractual obligations for information security, including provisions
  for monitoring, audits, and incident management.
- Regularly evaluate vendor performance through periodic reviews, testing, and risk
  assessments.

### 6.4 Strengthening Incident Management

- Develop a comprehensive incident response plan to address various security threats, such
  as [ransomware](https://www.corbado.com/glossary/ransomware), [phishing](https://www.corbado.com/glossary/phishing), or unauthorized
  access.
- Test incident response plans regularly to ensure their effectiveness in mitigating
  potential breaches.
- Define clear roles and escalation paths to ensure timely responses to incidents.

### 6.5 Implementing and Testing Security Controls

- Apply security controls commensurate with the criticality and sensitivity of information
  assets, ensuring timely remediation of vulnerabilities.
- Conduct regular testing of controls, such as penetration testing and
  [vulnerability](https://www.corbado.com/glossary/vulnerability) assessments, to validate their effectiveness.
- Include scenarios for worst-case incidents in the testing plan to prepare for extreme
  but plausible threats.

### 6.6 Establishing a Policy Framework

- Develop a hierarchical set of policies, standards, and procedures addressing all aspects
  of information security, from access control to
  [data lifecycle management](https://www.alation.com/blog/metadata-management-framework/).
- Periodically review and update policies to ensure alignment with evolving regulatory and
  industry standards.
- Incorporate measures to address exemptions, ensuring compensating controls are in place
  and monitored.

### 6.7 Ensuring Clear Governance and Accountability

- Define roles and responsibilities for information security at all organizational levels,
  from the Board to operational teams.
- Ensure robust reporting mechanisms that provide stakeholders with actionable insights
  into the organization’s security posture.
- Regularly engage the Board and senior management to reinforce accountability and drive
  strategic alignment with cybersecurity objectives.

### 6.8 Maintaining a Culture of Security

- Foster a culture of security awareness throughout the organization by providing regular
  training and communication about cybersecurity practices.
- Promote the integration of security into all business processes and decision-making.

## 7. Incident Notification and Escalation

Under CPS 234, material security incidents must be reported to APRA within **72 hours**.
Entities must provide detailed information, including the incident’s nature, status, and
mitigation actions. Similarly, material control weaknesses must be reported within **10
business days**, along with planned remediation efforts.

## 8. Conclusion

CPS 234 is a cornerstone of APRA’s efforts to enhance cybersecurity in the financial
sector. By enforcing robust security practices, fostering a culture of vigilance, and
ensuring compliance across the value chain, CPS 234 helps safeguard critical information
assets and maintain trust in the [financial services](https://www.corbado.com/passkeys-for-banking) industry.

## Frequently Asked Questions

### What are the exact APRA notification deadlines for security incidents under CPS 234?

CPS 234 sets two distinct reporting deadlines. Material security incidents must be
reported to APRA within 72 hours, including details on the incident's nature, status and
mitigation actions. Material control weaknesses carry a longer window of 10 business days,
accompanied by planned remediation efforts.

### Which types of organizations are legally required to comply with APRA CPS 234?

CPS 234 applies to all APRA-regulated entities, including authorized deposit-taking
institutions such as banks and credit unions, general insurers, life insurance companies,
private health insurers and superannuation funds. Compliance obligations also extend to
third-party vendors that manage information assets on behalf of these regulated entities.

### How does CPS 234 handle security requirements for third-party vendors?

CPS 234 requires regulated entities to conduct due diligence on third-party vendors and
establish contractual obligations covering monitoring, audits and incident management.
Vendors managing information assets must comply with CPS 234 mandates directly, and
entities must perform periodic performance reviews and risk assessments to validate
ongoing compliance.

### What specific governance responsibilities does the Board of Directors carry under CPS 234?

The Board of Directors holds ultimate responsibility for CPS 234 compliance and must
ensure information security capabilities match the scale of organizational risk. While
operational duties can be delegated, the Board must define clear expectations for risk
escalation, reporting lines and engagement from senior management and governing bodies.