What You Need to Know About Prudential Standard CPS 234

July 01, 2021

What You Need to Know About Prudential Standard CPS 234

One of the most interesting parts of working in information security and data privacy is the continued evolution of security regulations and legislation. Federal organizations, countries, and even industry groups are constantly expanding on regulation standards to help ensure compliance, privacy, and security across the board.

It is also not uncommon for previously released regulations to be re-worked and updated to address new security concerns and threats. The Prudential Standard CPS 234 is one such piece of legislation. Here, we’ll take a look at what CPS 234 contains, who needs to comply, and how your team can proactively prepare for ongoing legislation changes in your space.


What is CPS 234?

Prudential Standard CPS 234 is a regulatory standardization measure released by APRA (Australian Prudential Regulation Authority) that aims to ensure all APRA-regulated organizations take clear steps to protect themselves from security threats and vulnerabilities. While this regulation may sound straightforward – taking steps to prepare for and protect against security incidents is already a key responsibility of InfoSec teams; after all – CPS 234 implements clear guidelines and requirements organizations must achieve to remain compliant. 

Key organizations and entities impacted by CS 234 include:

  • Deposit-taking organizations, including foreign institutions with an Australian presence
  • General insurers, non-operating holding companies, and parent entities of insurance groups
  • Life companies and eligible foreign life insurance companies
  • Private health insurers
  • Other eligible licensees and select operators


How to comply with CPS 234

If your organization falls into one of the categories above, or if you work directly with or for an APRA-regulated organization that is part of one of the above groups, then your team must take the guidelines outlined by CPS 234 into account. Here are some of the critical requirements of CPS 234:

  1. Clearly define the security-related roles and responsibilities for those involved in security operations, including on the board, in management positions, etc.
  2. Maintain InfoSec capabilities and structures commensurate with the extent of the threats and/or vulnerabilities to its assets
  3. Implement controls and standards to protect information assets commensurate with the sensitivity and criticality of this information
  4. Notify the APRA governing body of any security incidents, hacks, or breaches within ten business days of becoming aware of the incident


Prepare for ongoing regulation changes

According to the legislation, any APRA-regulated entity with data or assets managed by a third party is now subject to CPS 234 standards as of July 1, 2020. This means that all APRA-regulated entities are now well within the timeframe for ongoing compliance with the legislation. With so many other standards to consider, ensuring you’re on top of changing regulations, knowing when looming deadlines apply to your organization, and proactively remaining compliant can be tricky.

This is where a dedicated vendor risk management solution can come into play. For many, staying on top of InfoSec standards can get confusing. With a VRM platform like Whistic, your team can stay on top of standards like CPS 234, work towards regulated deadlines, and ensure your vendors and partners are also compliant. You can learn more here.

vendor assessment vendor security review third party risk mgmt vendor security management

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.