Australian financial services organisations operate under one of the most rigorous regulatory frameworks in the world. The Australian Prudential Regulation Authority (APRA) mandates comprehensive information security standards through CPS 234 Information Security, requiring regulated entities to maintain an information security capability commensurate with the size and extent of threats to their information assets.
For banks, credit unions, insurance companies, superannuation funds, and other APRA-regulated entities, compliance with CPS 234 is not optional -- it is a condition of their licence to operate. Non-compliance can result in enforceable undertakings, licence conditions, and significant reputational damage. Yet many organisations -- particularly smaller APRA-regulated entities -- struggle to interpret and implement the standard effectively, especially as they migrate more workloads to cloud platforms like Microsoft Azure and Microsoft 365.
According to APRA's own 2024 Cyber Resilience Report, 47% of regulated entities self-assessed as having material gaps in their CPS 234 compliance. The IBM Cost of a Data Breach Report 2024 found that financial services experienced the second-highest average breach cost globally at USD $6.08 million, underscoring the commercial imperative for robust information security.
Key Takeaway
CPS 234 requires APRA-regulated entities to be able to demonstrate their information security capability to the regulator at any time. This is not a one-off compliance exercise -- it requires ongoing investment in people, processes, and technology, with continuous monitoring and regular independent assurance.
APRA CPS 234: Requirements Explained
CPS 234 came into effect on 1 July 2019 and applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers, and registrable superannuation entity (RSE) licensees. The standard is principles-based rather than prescriptive, requiring entities to maintain an information security capability that is appropriate for their risk profile.
The Core Requirements
- Information security capability (Paragraph 15) -- Maintain an information security capability commensurate with the size and extent of threats to information assets, enabling the continued sound operation of the entity
- Policy framework (Paragraph 17) -- Maintain an information security policy framework that is commensurate with exposures to information security vulnerabilities and threats
- Information asset identification and classification (Paragraphs 19-20) -- Classify information assets by criticality and sensitivity, including those managed by related parties and third parties
- Implementation of controls (Paragraphs 21-24) -- Implement controls to protect information assets commensurate with their criticality and sensitivity, and the size and extent of threats
- Incident management (Paragraphs 25-28) -- Maintain robust mechanisms to detect and respond to information security incidents, and notify APRA of material incidents within 72 hours
- Testing (Paragraphs 29-33) -- Test the effectiveness of information security controls through a systematic testing program. The nature and frequency of testing must be commensurate with the rate of change in vulnerabilities and threats
- Internal audit (Paragraph 34) -- Ensure internal audit reviews the design and operating effectiveness of information security controls
Information Security Capability Requirements
CPS 234's overarching requirement is that an entity's information security capability must be commensurate with its risk profile. In practice, this means:
- Board accountability -- The Board is ultimately responsible for the entity's information security. Boards must approve the information security policy, receive regular reporting on information security matters, and ensure adequate resources are allocated
- Clearly defined roles and responsibilities -- The entity must clearly define information security-related roles and responsibilities, including those of the Board, senior management, governing bodies, and individuals. This includes designating a Chief Information Security Officer (CISO) or equivalent
- Sufficient resources -- The entity must maintain sufficient resources (including qualified personnel, technology, and financial resources) to manage its information security consistent with its size, scope, and complexity
- Threat awareness -- The entity must maintain awareness of evolving threats and vulnerabilities, including through threat intelligence, industry information sharing, and engagement with bodies like the ACSC
| CPS 234 Requirement | Azure / M365 Control Mapping | Implementation Approach |
|---|---|---|
| Information asset classification | Microsoft Purview Information Protection sensitivity labels | Auto-classification policies + manual labelling for sensitive financial data |
| Access controls | Microsoft Entra ID Conditional Access + PIM | Risk-based MFA, JIT privileged access, device compliance |
| Data loss prevention | Microsoft Purview DLP | DLP policies across Exchange, SharePoint, Teams, OneDrive |
| Incident detection | Microsoft Sentinel SIEM + Defender XDR | 24/7 monitoring with automated playbooks and alerting |
| Encryption | Azure Storage Service Encryption + BitLocker + TLS | AES-256 at rest, TLS 1.2+ in transit, customer-managed keys |
| Vulnerability management | Microsoft Defender Vulnerability Management | Continuous vulnerability scanning with risk-based prioritisation |
| Security testing | Defender for Cloud secure score + external pen testing | Continuous posture assessment + annual penetration testing |
| Audit logging | Microsoft Purview Audit (Premium) | Unified audit log with 10-year retention, tamper protection |
Incident Notification Obligations
CPS 234 imposes strict incident notification obligations that financial services organisations must understand and prepare for:
- 72-hour notification -- Entities must notify APRA as soon as possible, and in any case no later than 72 hours, after becoming aware of a material information security incident
- What constitutes "material" -- An incident is material if it has, or could have, a material impact on the entity or the interests of depositors, policyholders, or fund members. This includes incidents that could affect the entity's ability to operate, compromise sensitive customer data, or attract regulatory or media attention
- 10-day notification for control weaknesses -- Entities must notify APRA as soon as possible, and in any case no later than 10 business days, after identifying a material information security control weakness that cannot be remediated in a timely manner
These notification obligations require organisations to have robust incident detection capabilities, clear escalation procedures, and pre-prepared notification templates. Many organisations discover gaps in their incident response processes only when a real incident occurs -- by which time it is too late to meet the 72-hour deadline.
Key Takeaway
APRA's 72-hour notification window is one of the tightest in the world. Organisations must have automated detection, pre-defined escalation paths, and rehearsed response procedures to meet this obligation. Precision IT's 24/7 Security Operations Centre provides the continuous monitoring capability that underpins timely incident detection and notification.
Third-Party Risk Management
CPS 234 extends information security obligations to third-party arrangements. When an entity outsources information asset management to a third party (including cloud service providers), the entity remains responsible for ensuring the security of those assets. Key requirements include:
- Due diligence -- Evaluate the information security capability of third parties before entering into arrangements, and on an ongoing basis
- Contractual obligations -- Include information security requirements in third-party contracts, including the right to audit, incident notification obligations, and data handling requirements
- Monitoring -- Monitor the information security performance of third parties and ensure they maintain capabilities commensurate with the sensitivity of the information assets they manage
- Cloud-specific considerations -- For cloud services, evaluate the shared responsibility model, data sovereignty requirements (ensuring data remains in Australia where required), and the provider's security certifications (ISO 27001, SOC 2, IRAP assessment)
Both Microsoft Azure and Microsoft 365 hold extensive compliance certifications relevant to APRA-regulated entities, including ISO 27001, SOC 1 and SOC 2 Type II, IRAP PROTECTED, and CSA STAR. Microsoft also provides the Financial Services Compliance Program and specific guidance for APRA-regulated entities in Australia.
Cloud Usage by APRA-Regulated Entities
APRA's guidance on cloud computing (including CPG 235 Managing Data Risk and various information papers) acknowledges that cloud adoption is a reality for the financial sector. The key principles for cloud usage include:
- Data sovereignty -- Understand where your data is stored and processed. For most APRA-regulated entities, primary data should reside in Australian data centres. Both Azure Australia East (Sydney) and Azure Australia Southeast (Melbourne) provide in-country data residency
- Shared responsibility -- Understand and document the division of security responsibilities between your organisation and the cloud provider. Microsoft's shared responsibility model clearly delineates provider and customer responsibilities for each service type (IaaS, PaaS, SaaS)
- Exit strategy -- Maintain a documented exit strategy for material cloud arrangements, ensuring you can transition away from a provider without unacceptable disruption
- Concentration risk -- Consider the risk of concentrating critical functions with a single cloud provider and plan for multi-provider or hybrid arrangements where appropriate
Testing and Assurance
CPS 234 requires a systematic testing program for information security controls. This includes:
- Vulnerability assessments -- Regular scanning of infrastructure, applications, and cloud workloads using tools like Microsoft Defender Vulnerability Management
- Penetration testing -- Annual (or more frequent) penetration testing of external-facing systems, internal networks, and cloud environments by qualified independent testers
- Control testing -- Regular testing of specific security controls, including access controls, encryption, backup and recovery, and incident response procedures
- Scenario testing -- Tabletop exercises and simulation scenarios to test incident response plans and escalation procedures
- Independent assurance -- Paragraph 34 requires internal audit to review the design and operating effectiveness of information security controls, including those operated by third parties
Precision IT's Experience with Financial Services
Precision IT is ISO 27001 certified and holds Microsoft Solutions Partner status with advanced security specialisations. We support multiple APRA-regulated entities across banking, insurance, and superannuation with:
- CPS 234 gap assessments -- Comprehensive assessment of your current information security posture against CPS 234 requirements, with a prioritised remediation roadmap
- Cloud security architecture -- Design and implementation of Azure and M365 environments that meet CPS 234 requirements, including data classification, access controls, encryption, and monitoring
- 24/7 security monitoring -- Our Australian Security Operations Centre provides continuous monitoring via Microsoft Sentinel, enabling timely detection and notification of security incidents within APRA's 72-hour requirement
- Privileged access management -- Implementation of Microsoft Entra PIM for JIT access controls aligned with CPS 234 and Essential 8
- Compliance reporting -- Automated compliance dashboards and regular Board-level reporting on information security posture
- Annual penetration testing -- Independent testing of your environment against the latest threat landscape
Our financial services clients benefit from our deep understanding of the regulatory landscape, our Fortinet Advanced Partner status for network security, and our commitment to maintaining the highest security standards in our own operations -- as evidenced by our ISO 27001 certification.
Is your organisation meeting its CPS 234 obligations? Request a complimentary CPS 234 readiness assessment and we will provide a confidential evaluation of your current information security posture against APRA's requirements. Our team has deep experience working with APRA-regulated entities and can provide practical, actionable guidance for achieving and maintaining compliance. Visit our financial services IT page to learn more about our industry-specific capabilities.