CPS 234 is APRA's Prudential Standard on Information Security, in force since 1 July 2019. It applies to all APRA-regulated entities — banks, credit unions, mutuals, insurers, superannuation entities and registrable superannuation entities — irrespective of size.
CPS 234 contains four substantive obligations that APRA reviews against: §11 — clearly defined information-security roles and responsibilities; §13 — information-security capability commensurate with the size and extent of threats; §15 — assurance over third parties who manage information assets; §35 — notification to APRA within 72 hours of a material information-security incident.
CPS 234 is board-accountable. The board retains ultimate responsibility for information security, even when operational delivery is outsourced. APRA reviewers ask for evidence artefacts — control test results, third-party attestations, incident notifications — not assurance language. Documented evidence is the entire game.