Red Bridge CyberRed Bridge Cyber
Customer Login
What We CheckHow It WorksPricingResearchAboutBlogCustomer Login

What is APRA CPS 234 and does it apply to me?

CPS 234 is the Australian Prudential Regulation Authority’s information-security standard:

  • Who it applies to — APRA-regulated entities — banks and other authorised deposit-taking institutions, insurers, and superannuation trustees — requiring them to maintain information-security capability matched to their threats, define board-level accountability, test their controls, and notify APRA of material incidents within 72 hours.
  • If you are not APRA-regulated — CPS 234 does not apply to you directly.
  • The one indirect path — the standard also covers information assets managed by third parties, so if you supply services to a bank, insurer or super fund, their CPS 234 obligations can flow into your contract as security requirements and assessment rights. That is the moment a small supplier genuinely needs formal security help.

For everyone else, CPS 234 is a useful signal of what regulated-entity security looks like — not a checklist to adopt.