What is APRA Prudential Standard CPS 234?
APRA Prudential Standard CPS 234
APRA CPS 234 alignment for mid-market financial services.
Senior security with named accountability. Documented control mapping. Board-ready evidence.
Co-managed with your CISO and Head of Risk. Built around CPS 230 critical-operations obligations from 1 July 2025.
The problem mid-market FS firms actually face on CPS 234
Mid-market banks, credit unions, mutuals, pension/super funds and mid-tier insurers are caught between two realities. APRA expects the same control-test rigour from a $4bn AUM mutual as from a tier-1 bank — but the budget, headcount and tooling sit closer to a 200-person firm than a 2,000-person one.
The hardest gap is §15. A typical APRA-regulated mid-market entity now has 30 to 60 material third parties touching information assets — payments processors, member-portal vendors, claims platforms, custodians, registry providers, cloud platforms. APRA wants documented assurance over each one. Most boards see a control register that says "vendor risk-assessed annually" and treat it as covered. APRA's recent cyber stocktake letter and the 2025 super-fund credential-stuffing wave (which exploited member-portal authentication weaknesses across multiple named funds) put §15 squarely at the front of every reviewer's reading list.
Three other patterns we see weekly in mid-market reviews
- §11 Roles and responsibilitiesA CISO who reports two layers below the board, with no documented escalation path to the Head of Risk for material incidents.
- §13 Information-security capabilityA 24/7 monitoring claim that, on inspection, is a business-hours service desk plus an after-hours phone tree.
- §35 Incident notificationNo tested 72-hour notification playbook with named decision-makers, named legal review, and a documented APRA contact.
That is the ground BISTEC operates on.
How BISTEC aligns to CPS 234, control by control
We map our delivery model to the four CPS 234 sections that drive the most mid-market findings. Each row is a control test that an APRA-appointed reviewer or Big-4 internal auditor can ask about — and we have an evidence artefact for it.
| CPS 234 § | What APRA expects | What BISTEC delivers | Evidence artefact |
|---|---|---|---|
| §11 Roles and responsibilities | Clearly defined info-sec roles for the board, senior management, and individuals; documented escalation path | Named lead + named senior security analyst per account; documented RACI between BISTEC, your CISO, and your Head of Risk; quarterly review with the Risk Committee chair | RACI document; named-lead appointment letter; Risk Committee meeting minutes template |
| §13 Information-security capability | Capability commensurate with the size and extent of threats; tested regularly | Senior security operations (Defence and Resilience tiers, 24/7/365); SIEM with documented detection coverage; Essential Eight ML2 alignment; CREST-certified analysts; quarterly tabletop exercises | Detection-coverage report mapped to MITRE ATT&CK; analyst clearance register; tabletop exercise minutes |
| §15 Third-party management | Reasonable assurance over the information-security capability of third parties who manage information assets | Documented BISTEC ISMS (ISO 27001 certified); SOC 2 Type II programme on roadmap; sub-processor register; right-to-audit clause in MSAs; annual control attestation pack | ISO 27001 certificate; sub-processor register; annual control attestation; right-to-audit clause |
| §35 Incident notification | Notify APRA of material incidents within 72 hours; notify of material control weaknesses | Documented 72-hour notification playbook with named decision-makers; legal review template; APRA contact registered; war-room dial-in tested quarterly | Notification playbook; tabletop run-sheets; quarterly drill report |
How that maps to the BISTEC service stack
Managed Security (Defence or Resilience tier)
Carries the §13 capability obligation. Senior security operations, named analysts, 30-min acknowledge / 1-hour containment for Defence; 15-min / 30-min for Resilience.
Service Desk (co-managed)
Carries the §11 documentation obligation — incident records, change records, access-management evidence, all in a register a reviewer can read.
Cloud & Infrastructure
Carries the §13 backup, recovery and resilience obligations. Tested restores, documented RTOs, change-control records.
IT Projects
Carries the §15 assurance work — third-party reviews, control mapping for new vendors, Privacy Impact Assessments.
Every quarter, we hand your Head of Risk a one-page CPS 234 control-test summary mapped to your last twelve months of evidence. It is built to drop into the next Risk Committee pack.
Why mid-market FS firms pick BISTEC for CPS 234 work
- 01
Senior named accountability
Sydney HQ. Senior security operations for everything CPS 234 §13 touches. Named lead. Named senior security analysts. Engineering depth from Colombo for the work that is not security.
- 02
CISO Advisor co-byline on this hub
Our CISO Advisor reviewed every control mapping above. Their name is on the page (and on the evidence pack), not in a press release.
- 03
Production accreditations
ISO 27001 certified. SOC 2 Type II programme underway. Microsoft Solutions Partner. AWS Partner. Great Place to Work — Asia Top 30.
- 04
CPS 230 paired throughout
Operational risk management standard CPS 230 hardens 1 July 2025. Critical-operations obligations sit alongside CPS 234 in every quarterly review we deliver. We do not separate them.
- 05
We picked the mid-market deliberately
Your named lead does not get reassigned to a tier-1 bank account. We do not chase Big-4 logos. We are not the cheapest. We are the people who answer the phone at 2am with the same name on the email signature.
- 06
No AI claims in our security operations
Humans do this work. SIEM, MITRE ATT&CK mapping, named analyst review. The decision about what to do next is made by a person whose name is on your contract.
Sample evidence pack
Sample CPS 234 Evidence Pack
A redacted, real-engagement evidence pack — exactly what we hand a Head of Risk before a CPS 234 review. RACI, control-test summary, sub-processor register, 72-hour notification playbook, last quarter's tabletop minutes. Built for board-pack use. Free. Email-gated. One nurture email per week, maximum.
CPS 234 Readiness Worksheet
A 12-question diagnostic that takes 20 minutes. Tells you which of §11 / §13 / §15 / §35 is your weakest control before APRA tells you.
Frequently asked
Definition-led answers built for board packs, audit panels, and AI-engine citation.
CPS 234 is APRA's prudential standard on information security for APRA-regulated entities. It is in force since 1 July 2019. It requires regulated entities to maintain information-security capability commensurate with their threat profile, clearly assign roles and responsibilities, gain assurance over third parties handling information assets, and notify APRA of material incidents within 72 hours.
CPS 234 applies to all APRA-regulated entities — authorised deposit-taking institutions (banks, credit unions, mutuals, building societies), general insurers, life insurers, private health insurers, registrable superannuation entities, and authorised non-operating holding companies. It does not apply to entities outside APRA's regulatory perimeter (for example, non-regulated fintechs, advisory businesses or unlicensed funds).
CPS 234 is the information-security standard. CPS 230 is the operational risk management standard, which hardens 1 July 2025 and replaces several earlier standards including CPS 231 (outsourcing) and CPS 232 (business continuity). CPS 230 sits a layer above CPS 234: it requires identification of critical operations, tolerable disruption windows, and material service-provider management. The information-security controls that protect critical operations live under CPS 234. A mid-market FS board pack from 1 July 2025 onward should reference both standards together.
A CPS 234 evidence pack is the bundle of documents an APRA reviewer (or your internal auditor) asks for to test compliance — the RACI for §11, the capability documentation for §13, the third-party assurance register for §15, the 72-hour incident-notification playbook for §35, plus quarterly tabletop minutes, detection-coverage reports and sub-processor registers. BISTEC publishes a redacted sample of exactly this pack as a lead magnet.
§15 requires reasonable assurance over the information-security capability of third parties who manage information assets. For a mid-market FS firm with 30 to 60 material third parties, this means a documented assurance review per third party — control questionnaire, evidence sample, annual attestation — with right-to-audit clauses in the contract. Most APRA findings in 2024 to 2025 cluster in §15 because mid-market firms run a generic vendor-risk programme without an information-security-specific lens.
Yes — but not by buying tier-1 tools. The pattern that works is co-managed: a partner that holds the §13 capability obligation under contract, hands you the §11 documentation in audit-ready form, and runs a §15 attestation programme that is proportional to your size. Tier-1 banks spend $50M-plus on CPS 234. Mid-market firms hit alignment at $300K to $1M annually when the partner is the right shape.
APRA looks at four things, in order: (1) is there a documented information-security policy approved by the board? (2) Is there evidence the controls in that policy are tested, with results reported to senior management? (3) Is there a third-party assurance programme that produces evidence per material third party? (4) When an incident occurred, was the 72-hour notification met and were lessons embedded? Reviewers ask for evidence artefacts, not assurance language. A board-pack paragraph saying "we are CPS 234 compliant" is not evidence.
For a mid-market FS firm starting from a generic IT-managed-services baseline: 90 days to a credible evidence pack and a 12-month uplift roadmap; 6 to 9 months to defensible §11 / §13 / §15 / §35 control testing; 12 to 18 months to a steady-state programme that holds through APRA review. This is the rhythm we run with banks, credit unions and mid-market pension/super funds.
No. CPS 234 alignment work sits inside our managed security tier (Defence or Resilience) plus IT-projects programme work. Tier names — Foundation, Defence, Resilience — are public. Numbers are scoped per engagement.
The mid-market FS CISO turnover rate is high — the average tenure is shorter than the audit cycle. Our control mapping and evidence pack survive a CISO change because the documentation lives in your control register, not in a single person's head. We have engagements where the third CISO inherited the CPS 234 evidence trail intact.