A practical guide to CPS 234
Key Takeaways
- CPS 234 is a mandatory APRA standard requiring regulated entities to ensure the confidentiality, integrity, and availability of their information assets.
- The standard places board accountability for information security, expecting directors to understand risks and ensure effective controls are in place.
- CPS 234 mandates ongoing testing and evidence of security controls, including oversight of third-party providers managing information assets for.
What is CPS 234?
CPS 234 is APRA’s prudential standard for information security. It requires APRA-regulated organisations to protect the confidentiality, integrity and availability of their information assets, maintain information security capabilities that reflect the threats they face, and demonstrate those controls are operating effectively.Â
At its core, CPS 234 makes information security a board responsibility. While the day-to-day work typically sits with the Chief Information Security Officer (CISO), Head of Information Security and technology teams, accountability rests with the board. Â
What’s more, directors are expected to understand the organisation’s information security risks, ensure appropriate controls are in place and be confident those controls are working as intended.Â
Essentially, the standard has been in effect since 1 July 2019 and applies across banks, insurers, superannuation funds and other APRA-regulated entities. It also extends beyond an organisation’s own technology environment. Information assets managed by cloud providers, managed service providers and other third parties remain subject to the same obligations. Â
In other words, organisations can outsource technology services, but they can’t outsource accountability.Â
Over the past few years, the conversation around CPS 234 has matured. Organisations are still expected to adopt appropriate security controls, but they’re increasingly expected to demonstrate those controls are operating effectively through ongoing testing, independent assessment and documented evidence. That expectation now shapes everything from supplier oversight and asset management through to incident response and regulatory reporting.Â
This guide explains what CPS 234 requires, who it applies to, how it fits alongside CPS 230, and the practical steps organisations can take to strengthen their information security capability while meeting APRA’s expectations.Â
Does CPS 234 apply to me?
If you’re an APRA-regulated bank, insurer or superannuation fund, the answer is yes. CPS 234 applies directly to your organisation and sets out your information security obligations.Â
The standard can also affect organisations that provide technology or operational services to APRA-regulated entities. While those providers aren’t regulated by APRA under CPS 234 themselves, their customers remain responsible for the security of any information assets they manage. That means suppliers are increasingly expected to demonstrate they have appropriate controls, testing and assurance in place.Â
CPS 234 applies if you are:
- An authorised deposit-taking institution (ADI), including a bank, credit union or building society regulated by APRA.Â
- An insurer or superannuation trustee licensed by APRA.Â
- A private health insurer or a licensed non-operating holding company (NOHC) within an APRA-regulated group.Â
- The Australian operation of a foreign bank or insurer that is regulated by APRA.Â
You may also be affected if you:
- Manage information assets on behalf of an APRA-regulated entity, including services such as cloud hosting, managed infrastructure, core technology platforms or administration. While CPS 234 doesn’t apply to you directly, your customers remain accountable for those assets and will expect you to meet their security and assurance requirements.Â
If none of these apply, CPS 234 is unlikely to be a direct regulatory obligation. Even so, many organisations now use it as a benchmark for information security because it reflects many of the practices expected across regulated industries.Â
Please note that this article is intended as general guidance. Your organisation should confirm whether CPS 234 applies directly, or should apply as best practice.
How does CPS 234 relate to CPS 230?
For starters, CPS 234 and CPS 230 are closely connected, which is why many APRA-regulated organisations manage them as part of the same program. They address different risks, but they often come into play during the same event.Â
The simplest way to think about it is this: CPS 234 focuses on information security, while CPS 230 focuses on operational resilience. CPS 234 is concerned with protecting your information assets from cyber threats. CPS 230 is about ensuring your critical operations continue, even when those threats become real-world disruptions.Â
Indeed, the overlap becomes most obvious during a cyber incident. A ransomware attack, for example, may trigger CPS 234 because it compromises the confidentiality, integrity or availability of information assets. The same incident could also fall under CPS 230 if it disrupts a critical business operation or affects a material service provider. One event can trigger obligations under both standards.Â
Meanwhile, third-party providers are another area where the two standards work together. Under CPS 234, organisations remain accountable for the security of information assets managed by suppliers. Under CPS 230, they are also responsible for understanding how those suppliers support critical operations and whether the business could continue if something went wrong. Â
Together, the two standards encourage organisations to look beyond their own environment and take a broader view of operational and cyber risk.Â
If you’re implementing one standard, you’re almost certainly working on the other. Â
This guide focuses on information security under CPS 234. If you’re looking for guidance on operational resilience, critical operations, tolerance levels and material service providers, read our complete guide to CPS 230.Â
What information security capabilities does CPS 234 require?
CPS 234 doesn’t prescribe a checklist of security controls every organisation must implement. Instead, it expects your information security capability to be commensurate with the threats you face and the criticality and sensitivity of the information assets you protect.Â
That gives organisations flexibility, but it also raises the bar. APRA expects you to understand your own risk profile and be able to explain why your security capability is appropriate. A regional mutual bank, for example, won’t necessarily require the same controls as one of Australia’s largest financial institutions. Both, however, must be able to justify that their security capability reflects the risks they face.Â
Â
In practice, that capability extends across the entire security lifecycle. Organisations need to be able to prevent incidents wherever possible, detect suspicious activity quickly, respond effectively when an incident occurs and recover in a controlled way. Strong prevention on its own isn’t enough if an organisation can’t identify an attack or restore critical services afterwards.
Additionally, CPS 234 also expects information security to be embedded across the organisation. Roles and responsibilities should be clearly defined, security controls implemented consistently across information assets, and incident response plans documented, tested and understood before they’re needed. When an incident occurs, people should already know who is responsible, how decisions will be made and what actions need to be taken.Â
And because CPS 234 is principles-based, there isn’t a single definition of what “good” looks like. Â
Better still, the real test is whether your security capability is appropriate for your organisation and whether you can demonstrate it is operating effectively. Â
Frameworks such as the Essential Eight and ISO 27001 can help shape that capability, but they don’t replace the obligation to assess your own risks and build controls that reflect them. Â
We’ll look at how those frameworks fit into CPS 234 later in this guide.Â
How to identify, classify and keep your information assets current
Indeed, every CPS 234 program starts with the same question:Â What are you protecting?Â
Before an organisation can assess risk, implement controls or test its security posture, it needs a clear understanding of its information assets. CPS 234 requires organisations to identify and classify those assets according to their criticality and sensitivity, including information assets managed by third parties. That inventory becomes the foundation for almost every other obligation in the standard, influencing everything from access controls and testing through to incident response.Â
Creating an asset register is relatively straightforward. On the flip side, keeping it accurate is where many organisations run into trouble.Â
Undoubtedly, technology environments are constantly changing. New applications are introduced, workloads move to the cloud, infrastructure is upgraded and suppliers come and go. Unless the asset register keeps pace with those changes, it quickly becomes a historical record rather than a reliable security control.Â
Therefore, one of the most common issues uncovered during cyber reviews is ageing infrastructure. Systems have reached end of life, software is no longer supported or critical patches haven’t been applied because nobody realised the asset was still in production. Under CPS 234, that isn’t simply an operational issue. Unsupported and unpatched systems expand an organisation’s attack surface and create unnecessary risk.Â
Additionally, we’ve seen organisations discover a critical platform had reached end of life months earlier because nobody was tracking lifecycle dates alongside the asset register. By the time the issue was identified, the exposure had existed for far longer than anyone realised.Â
That’s why CPS 234 expects organisations to treat asset management as an ongoing discipline rather than a one-off compliance exercise. The goal is to know what you own today, but to also maintain an accurate, living view of your information assets, their current security posture and where attention is needed before small gaps become larger security risks.Â
What are your third-party security obligations under CPS 234?
Let’s be clear: Outsourcing technology doesn’t reduce your obligations under CPS 234.Â
If a third party stores, processes or manages your information assets, your organisation remains accountable for ensuring those assets are appropriately protected. APRA expects regulated entities to understand the security capability of their providers, assess whether it is appropriate for the information being managed and maintain oversight throughout the relationship.Â
That responsibility extends well beyond signing a contract. In fact, organisations need confidence that security controls are operating effectively, incidents are managed appropriately and critical information assets continue to receive the protection they require.Â
Assessing your suppliers
Every supplier presents a different level of risk. A payroll provider, cloud platform and managed service provider won’t all require the same level of oversight, but each should be assessed according to the criticality and sensitivity of the information assets they manage.Â
That assessment should consider questions such as:Â
- What information assets does the supplier manage?Â
- How critical are those assets to your organisation?Â
- What security controls has the supplier implemented?Â
- How are those controls tested and evidenced?Â
- How quickly would the supplier detect, respond to and recover from a security incident?Â
In short, the more critical the service, the greater the expectation that you can demonstrate appropriate governance and assurance over the relationship.Â
How do you govern change across your suppliers?
Notably, one of the biggest challenges isn’t assessing a supplier once. Instead, it’s  maintaining oversight as suppliers, systems and environments continue to change.Â
Large financial institutions often rely on dozens of technology providers. Some have well over 100 suppliers supporting different parts of the organisation. And each has its own infrastructure, change management processes, release cycles and security controls.Â
Certainly, that creates an important governance question.Â
How do you maintain visibility of changes occurring across every supplier that manages your information assets?
An organisation may have mature internal change management processes, but far less visibility into changes made by critical providers. As supplier ecosystems grow, demonstrating consistent oversight becomes increasingly difficult, particularly when auditors ask how those changes are governed and evidenced.Â
Indeed, this is one reason many organisations are simplifying their supplier landscape. Consolidating services with fewer strategic providers reduces the number of relationships that need to be governed, the number of change processes that need to be understood and, ultimately, the complexity of demonstrating compliance.Â
It’s also where CPS 234 and CPS 230 naturally intersect. Supplier sprawl doesn’t just increase information security risk. It can also increase operational risk by creating more dependencies across critical business services.Â
Don’t overlook contractual riskÂ
But security controls aren’t the only consideration. Many cloud and platform providers include acceptable use provisions that give them the right to suspend services if they believe a customer has breached their terms and conditions. Â
For APRA-regulated organisations, that has implications beyond the contract itself. A service suspension could affect critical business operations and customer services.Â
Essentially, understanding those contractual rights should form part of any third-party risk assessment. Where suspension rights exist, organisations should understand the circumstances in which they could be exercised and have appropriate contingency plans in place.Â
Ultimately, effective third-party governance is about maintaining visibility, understanding where risk sits and being able to demonstrate that critical suppliers are subject to the same level of oversight as the organisation’s own environment.Â
What are the MFA and access control requirements?
Controlling who can access your systems, applications and information assets is one of the core expectations of CPS 234. APRA expects organisations to implement access controls that reflect the sensitivity of the information being protected and to regularly review whether those controls remain appropriate.Â
Indeed, that starts with the fundamentals. For starters, users should only have access to the systems and information they need to perform their role. What’s more, privileged accounts require additional protection, remote access should be tightly controlled, and access should be removed promptly when people change roles or leave the organisation.Â
Multi-factor authentication is now a baseline
Not surprisingly, multi-factor authentication (MFA) has become one of the most important security controls under CPS 234.Â
Following the credential-stuffing attacks on Australian superannuation funds in April 2025, APRA wrote to all RSE licensees reinforcing its expectations around authentication controls. It asked entities to review their information security controls, strengthen MFA or equivalent protections for high-risk member activities and privileged access, and report any material weaknesses. Those actions were required to be completed by 31 August 2025.Â
The message? Strong authentication is now considered a baseline expectation for protecting sensitive information and reducing the risk of unauthorised access.Â
For a detailed breakdown of APRA’s guidance and the 2025 MFA requirements, read our guide to APRA’s August 2025 MFA deadline.Â
Access management doesn’t stop once access is granted
Remember, strong access management is an ongoing process, not a one-time exercise.Â
Regular access reviews help ensure users still require the permissions they’ve been granted. Privileged accounts should be monitored closely, and elevated access should be provided only when it’s needed, rather than becoming a permanent entitlement.Â
Like many areas of CPS 234, the objective isn’t simply to implement access controls. It’s to demonstrate they continue to operate effectively as people, systems and business requirements change.Â
How does CPS 234 testing and assurance work?Â
This is where CPS 234 has changed most in practice.Â
For example, testing has always been part of the standard, but the way organisations are expected to demonstrate their security capability has evolved significantly. Today, APRA expects organisations to do more than implement controls. They also need to show those controls are operating effectively through a systematic testing program.Â
Certainly, the standard requires testing to reflect the rate of change in an organisation’s technology environment, the threats it faces and the criticality of its information assets. Just as importantly, that testing must be carried out by appropriately skilled and functionally independent specialists. In other words, the people responsible for operating a control shouldn’t be the same people assessing whether it’s working.Â
Evidence has become the new standard
Notably, one of the biggest shifts in recent years has been the growing emphasis on evidence.Â
Organisations are increasingly expected to demonstrate that security controls are working, not simply describe them in a policy or contract. Auditors and regulators want to see documented proof that controls have been exercised and tested, whether that’s a successful restore, a disaster recovery exercise, penetration testing, security monitoring, vulnerability remediation or an incident response simulation.Â
Indeed, this expectation extends beyond APRA. Information security teams often need to satisfy internal technology leaders, risk teams and external auditors before evidence ever reaches the regulator. Each layer is looking for confidence that controls are operating effectively, which makes building evidence continuously far more practical than trying to assemble it in the weeks before an audit.Â
Essentially, that’s also changing how organisations think about visibility. Annual testing remains important, but it’s increasingly complemented by the ability to understand the current state of the environment. Organisations need to know whether systems are patched, monitoring is active, unsupported infrastructure has been identified and critical controls continue to operate as expected. That ongoing visibility makes it easier to identify issues early and demonstrate security capability whenever it’s required.Â
The questions organisations should be able to answer
As organisations move towards continuous assurance, the questions become less about whether controls exist and more about whether they’re operating effectively today.Â
Ask yourself:Â
- Has this control been tested?Â
- When was it last tested?Â
- What were the results?Â
- Were any issues identified and remediated?Â
- Can we produce the evidence?Â
- Are our critical systems fully patched today?Â
- Is security monitoring active?Â
- Can we identify unsupported or end-of-life infrastructure?Â
- What has changed since the last review?Â
- Could we demonstrate all of this if an auditor asked tomorrow?Â
Remember, being able to answer these questions at any point in time is generally a much stronger position than trying to assemble months of evidence just before an audit.Â
Why independence matters
At the same time, functional independence is another defining feature of CPS 234.Â
Independent testing provides confidence that security controls have been assessed objectively rather than reviewed by the same team responsible for operating them. It’s one of the reasons many organisations separate operational security from assurance. One team builds and manages the environment, while another independently assesses whether those controls are operating effectively.Â
Ultimately, good testing strengthens resilience as much as compliance. Organisations that continuously test, monitor and evidence their controls are generally better prepared for cyber incidents, internal reviews and regulatory scrutiny because they already understand how their security capability is performing.Â
What do you do when you have a CPS 234 incident?
When an information security incident occurs, CPS 234 introduces clear regulatory obligations that begin as soon as you become aware of what has happened. Importantly, you don’t need to have completed your investigation before notifying APRA. The notification clock starts when you become aware of a qualifying incident or control weakness, not when every detail has been confirmed.Â
There are two notification duties
Depending on the circumstances, one of these duties will apply.Â
72-hour duty
Notify APRA as soon as possible, and no later than 72 hours, after becoming aware of an information security incident that:Â
- has materially affected, or has the potential to materially affect, the organisation or its customers; orÂ
- has already been reported to another regulator in Australia or overseas.Â
The phrase “has the potential to materially affect” is important. Organisations shouldn’t wait until the full impact has been confirmed before notifying APRA.Â
ORÂ
10-business-day dutyÂ
Notify APRA as soon as possible, and no later than 10 business days, after becoming aware of a material weakness in your information security controls that you don’t expect to remediate in a timely manner.Â
This duty applies even if no security incident has occurred. It’s about recognising a significant control weakness that cannot be addressed quickly and notifying APRA accordingly.Â
Responding to the incident
Meeting the notification deadline is only one part of the response. The first few hours are also critical for protecting evidence and managing the incident effectively.Â
A well-tested incident response plan should guide the organisation through the initial response, including:Â
- Containing the incident to limit further impact.Â
- Preserving evidence for investigation and regulatory review.Â
- Activating the incident response plan and escalation procedures.Â
- Keeping executive leadership, the board and risk teams informed.Â
- Recording key decisions, actions and timelines for the post-incident review.Â
These activities support both the operational response and the evidence APRA, auditors and internal stakeholders may later request.Â
One incident can trigger multiple reporting obligations
CPS 234 isn’t the only reporting framework organisations may need to consider.
Since the Cyber Security Act 2024 started on 30 May 2025, organisations with annual turnover above $3 million, along with all critical infrastructure entities, may also need to report ransomware payments to the Australian Signals Directorate (ASD) within 72 hours.Â
That obligation sits alongside the CPS 234 notification duties rather than replacing them. A single ransomware incident may, therefore, trigger reporting requirements to multiple regulators, each with its own reporting process and timeframe.Â
Ultimately, organisations that respond well don’t just meet notification deadlines. They contain the incident, preserve evidence, follow a tested incident response plan and document their actions from the outset. That evidence becomes just as important as the response itself when regulators, auditors and internal stakeholders later review what happened.Â
How do Essential Eight and ISO 27001 fit alongside CPS 234?
One of the most common questions organisations ask is whether implementing the Essential Eight or achieving ISO 27001 certification is enough to meet CPS 234.Â
The short answer is no. In fact, CPS 234 doesn’t prescribe a specific control framework. Instead, it requires organisations to build information security capabilities that reflect the threats they face and to demonstrate those capabilities are operating effectively. Frameworks such as the Essential Eight and ISO 27001 provide practical ways to achieve that, but neither replaces the obligations under CPS 234.Â
Most APRA-regulated organisations use one or both frameworks to strengthen their security posture while using CPS 234 as the regulatory benchmark.Â
Essential Eight: Building a strong technical foundation
Developed by the Australian Signals Directorate (ASD), the Essential Eight provides practical guidance for reducing cyber risk through measures such as application control, patching, multi-factor authentication, restricting administrative privileges and maintaining secure backups.Â
For many organisations, Essential Eight compliance provides a structured approach to strengthening preventative security controls. Achieving an appropriate Essential Eight maturity can also help demonstrate that those controls are aligned with the organisation’s risk profile.Â
However, the Essential Eight focuses primarily on technical controls. It doesn’t address the broader governance, supplier oversight, independent testing and regulatory notification requirements that form part of CPS 234.Â
ISO 27001: Strengthening governance and assurance
ISO 27001 Australia provides a framework for establishing, maintaining and continually improving an information security management system.Â
Where the Essential Eight focuses on technical controls, ISO 27001 helps organisations build the governance, policies, risk management processes and continuous improvement practices that support them. Certification also provides independently audited evidence that an organisation’s information security management system has been assessed against an internationally recognised standard.Â
For organisations working towards CPS 234 compliance, ISO 27001 can provide a strong governance foundation, but it doesn’t replace the need to demonstrate controls are appropriate for the organisation’s specific risks or that they are operating effectively.Â
How they work together
Rather than choosing one framework over another, many APRA-regulated organisations use both.Â
The Essential Eight helps strengthen technical controls. ISO 27001 provides the governance framework that supports those controls. CPS 234 sits above both, setting the prudential obligations organisations must ultimately meet.Â
Together, they provide a practical foundation for building, governing and continually improving an information security capability that aligns with APRA’s expectations.Â
How does a merger or consolidation affect your CPS 234 posture?
Fund consolidation has become one of the defining trends in Australia’s superannuation sector, and it creates a specific CPS 234 challenge. Â
Mergers combine technology environments, security controls and cyber risks.Â
For APRA-regulated organisations, that’s one of the biggest information security challenges a merger creates. A newly merged entity may inherit multiple infrastructure environments, different security standards and varying levels of maturity, but APRA’s expectations remain the same across all of them.Â
The challenge is integrating systems, but also understanding exactly what you’ve inherited and whether every environment meets the same security standard.Â
Your security posture is only as strong as your weakest environment
Certainly, one of the realities of any merger is that technology environments rarely look the same.Â
Some systems may have modern security controls, current patching and mature monitoring. Others may contain ageing infrastructure, unsupported software or controls that haven’t been tested for years. Until those environments are brought up to a consistent standard, they all contribute to the organisation’s overall cyber risk.Â
And that’s why organisations often discover their security posture is determined by the weakest inherited environment rather than the strongest. Well-managed systems can’t compensate for gaps elsewhere, particularly when those gaps involve critical information assets.Â
Discovery comes before remediation
But before organisations can strengthen their security posture, they need to understand what they actually own.Â
Inherited environments frequently contain unknown assets, incomplete documentation, outdated registers or systems that haven’t been reviewed for years. Those blind spots make it difficult to assess risk, implement appropriate controls or demonstrate compliance with CPS 234.Â
How moving to cloud shrinks your CPS 234 audit surface
Cloud migration is often associated with agility, scalability and innovation. For many APRA-regulated organisations, however, there’s another benefit that’s just as important: reducing the number of technology assets they need to secure, manage and evidence under CPS 234.Â
In fact, every server, application and platform an organisation owns directly becomes something it must patch, monitor, test and demonstrate is operating effectively. As those environments grow, so does the effort required to maintain evidence across them.Â
That’s why moving appropriate workloads to a well-managed cloud environment can reduce that burden. Fewer directly managed assets generally mean fewer controls to maintain, fewer systems to test and a smaller audit surface for internal reviews and regulatory assessments.Â
Cloud reduces the operational burden, not the obligation
It’s important to understand where the responsibility changes, and where it doesn’t.Â
Better still, moving workloads to the cloud doesn’t transfer accountability under CPS 234. APRA still expects regulated organisations to understand how their information assets are protected, assess the security capability of their providers and demonstrate appropriate oversight.Â
In practice, what changes is the operational burden. Much of the day-to-day responsibility for maintaining infrastructure shifts to the provider, while the organisation focuses on governance, supplier oversight and ensuring the right evidence is available when it’s needed.Â
Cloud can simplify the environment, but it doesn’t remove the obligation to govern it.Â
Why end-to-end capability matters
Cloud migration is only one part of the equation.Â
Organisations also need confidence that workloads have been migrated appropriately, the cloud environment is being operated securely and independent assurance is available to demonstrate that security controls are working effectively.Â
That’s where many projects become more complex. Cloud migration, managed cloud services and cyber assurance are often delivered by different providers, creating additional handovers, governance and accountability.Â
Interactive brings those capabilities together. It can help organisations migrate workloads, operate the cloud environment and, through Slipstream Cyber, provide independent cyber assurance over that environment. That combination allows organisations to simplify governance while maintaining the independent oversight CPS 234 expects.Â
Importantly, moving to cloud doesn’t remove the obligation to govern information security. Accountability always remains with the regulated entity. What cloud can do is reduce the number of directly managed assets, simplify the operating environment and make it easier to demonstrate that appropriate controls are in place.Â
Where do organisations fall short on CPS 234?
After several years of CPS 234, the same themes continue to emerge during reviews. Â
Interestingly, they rarely involve organisations having no security controls at all. More often, the gaps appear in how those controls are maintained, tested and evidenced over time.Â
Evidence is still the biggest gap
One of the most common findings isn’t a missing control; instead, it’s missing evidence.Â
Security controls may exist, but organisations can’t always demonstrate they’ve been tested or produce the documentation that shows they’re operating effectively. Under CPS 234, an untested control is difficult to distinguish from an unproven one.Â
That’s why organisations are placing greater emphasis on building evidence continuously rather than trying to assemble it before an audit. By the time regulators or auditors ask the question, the evidence should already exist.Â
Small gaps become bigger risks
Many findings aren’t particularly dramatic. They’re the everyday issues that accumulate over time.Â
Common examples include:Â
- Information asset registers that no longer reflect the current environment.Â
- End-of-life or unsupported systems that remain in production.Â
- Critical security patches that haven’t been applied.Â
- User access that was never removed after people changed roles or left the organisation.Â
- Incident response plans that exist on paper but haven’t been tested.Â
Individually, each issue may appear manageable. Together, they can significantly increase cyber risk and make it much harder to demonstrate compliance with CPS 234.Â
Independence matters
At the same time, another challenge is ensuring testing remains genuinely independent.Â
CPS 234 requires assessments to be performed by functionally independent specialists. That means the people responsible for operating security controls shouldn’t also be responsible for assessing whether those controls are working effectively.Â
Many organisations address this by separating operational security from assurance. One team manages and improves the environment, while another independently assesses its effectiveness. That separation provides greater confidence for boards, executives, auditors and regulators alike.Â
Remember why CPS 234 exists
Now, there’s one final observation that’s worth making: There is a deeper cultural gap worth naming because it’s the one least likely to show up in an audit. Â
A compliance regime as demanding as CPS 234 can quietly shift an organisation’s focus from strengthening resilience to demonstrating compliance. Â
Better still, we’ve seen incident responses where the first discussion centres on whether governance requirements have been met and what regulators or auditors will expect to see. Those conversations matter, but they shouldn’t come before understanding what happened, whether customers or members have been affected and what needs to change to prevent it happening again.Â
Notably, the organisations that get the most from CPS 234 keep the purpose of the standard front of mind. They see compliance as an outcome of strong information security capability, not the reason for building it in the first place.Â
How is the cyber threat landscape changing, and what does APRA expect now?Â
CPS 234 isn’t a static standard because the threat landscape isn’t static either.Â
One of the biggest changes in recent years has been the rapid adoption of AI by cyber criminals. AI is helping attackers identify vulnerabilities faster, create more convincing phishing campaigns and operate at a scale that was difficult to achieve only a few years ago.Â
As attacker capability evolves, APRA expects organisations to keep pace. That's what the phrase "commensurate with the threat" means in practice. Security controls, testing programs and monitoring practices all need to evolve as the threat evolves. A level of maturity that was appropriate several years ago may no longer be sufficient today.Â
The attacks on Australian superannuation funds in 2025 provide a practical example. Credential-based attacks quickly became incidents that affected customer accounts, disrupted operations and attracted significant regulatory attention. They also reinforced why controls such as multi-factor authentication, ongoing monitoring and regular testing continue to receive so much focus
The takeaway? Information security capability needs to keep improving. Patch management, testing, monitoring and incident response all need to operate at a cadence that reflects today’s threat environment.Â
Ultimately, CPS 234 should be viewed as an ongoing capability rather than a one-time compliance project. Organisations that continually review, test and strengthen their security posture will be far better positioned to respond as both the threat landscape and regulatory expectations continue to evolve.Â
How Interactive and Slipstream support CPS 234Â
Throughout this guide, one theme has emerged consistently: successful CPS 234 compliance programs require more than security controls. Organisations need evidence those controls are operating effectively, independent assurance where it’s required and confidence they can demonstrate that capability whenever regulators or auditors ask. Â
Interactive supports organisations across that journey. It provides the cloud, infrastructure and managed IT services that help organisations build and operate secure environments. Through Slipstream Cyber, its dedicated cyber security business, it also provides the independent cyber assurance that CPS 234 expects from functionally independent specialists.Â
And that separation is important. Interactive operates the environment. Slipstream Cyber independently assesses it. The two organisations perform different roles, helping regulated entities satisfy the functional independence expected under CPS 234 while reducing the complexity of coordinating multiple providers.Â
As a material service provider to APRA-regulated organisations, Interactive also understands the practical realities of operating in highly regulated environments. Rather than simply describing how controls should work, it helps organisations produce the evidence regulators and auditors increasingly expect to see, including documented controls, tested recovery processes, independent assessments and ongoing assurance activities.Â
That support extends across the key areas explored throughout this guide, including:Â
- Cloud migration and managed cloud services.Â
- Asset and patch management.Â
- Identity and access management.Â
- Managed detection and response.Â
- Incident preparedness and response.Â
- Independent cyber assurance through Slipstream Cyber.Â
Whether organisations are preparing for an APRA review, responding to audit findings or strengthening their overall information security capability, the objective remains the same: building a security posture that can be demonstrated with confidence, not just described.Â
Book a free CPS 234 maturity assessment to identify potential gaps, understand where your organisation stands today and prioritise the next steps towards stronger information security and regulatory readiness.Â