APRA CPS 234 sets mandatory information-security requirements for APRA-regulated entities to maintain capabilities commensurate with their threats and vulnerabilities, including third-party arrangements. It emphasises governance, asset classification, control implementation, incident response, assurance, and timely regulator notification to reduce the likelihood and impact of information-security incidents. APRA is applicable to:

• APRA-regulated entities: banks, credit unions, building societies, insurers/reinsurers, private health insurers, life insurers, ADIs and authorised NOHCs.
• Related parties and third-party service providers managing regulated information assets.
• Subsidiaries or service organisations supporting APRA-regulated operations.

Key Requirements:

• Information-Security Capability: Skills, resources, and oversight aligned to risk.
• Policy Framework: Board-approved policies with clear roles and accountability.
• Information-Asset Identification & Classification: End-to-end inventory and criticality.
• Control Implementation: Proportionate technical/organisational controls across people, process, and technology (on-prem, cloud, suppliers).
• Incident Management: Detect, respond, recover, and learn from incidents.
• Testing Control Effectiveness: Periodic testing, including independent assurance.
• Internal Audit: Risk-based audits over the information-security framework.
• APRA Notification: Prompt notification of material weaknesses and incidents.

The CPS 234:2019 information security controls are: vulnerability and threat management; security operations and administration; secure design and architecture; security testing (incl. penetration testing); reporting and analytics; detection and response (incl. recovery/communication); investigations and forensics; independent assurance.