APRA CPS 234 Information Security

APRA CPS 234 Information Security

KPMG can help you achieve 1 July 2019 compliance with APRA Prudential Standard CPS 234.

Gordon Archibald

National Lead, Cyber Security Services

KPMG Australia

Illustration of a secure laptop underneath a red umbrella

APRA has released the final version of its prudential standard focused on information security management (CPS 234).

CPS 234 is intended to shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks) and their ability to respond swiftly and effectively in the event of a breach. Compliance is not an IT problem and requires a rapid, whole of organisation response. The board, senior management, audit, and operational functions are all directly impacted by this standard.

This Prudential Standard commences on 1 July 2019.

Key requirements of CPS 234

  • Roles and Responsibilities: From July 1, 2019, the board will be accountable for information security and cyber incidents.
  • Information Security Capability: Your security capability must be appropriate for your organisation and its risks.
  • Classification of All information Assets: All information assets must be classified by criticality and sensitivity including those managed by third parties.
  • Internal Audit: Subject matter experts must conduct information security specific assurance.
  • Controls Testing: Testing of information security controls must be appropriate, structured, orderly, comprehensive, and conducted by specialists.
  • APRA Notifications: You are required to notify APRA of information security incidents and, in some circumstances, security control weaknesses.

How can we help?

KPMG has the expertise and resources to help you prepare for CPS 234. Talk to us today about:

  • CPS 234 Gap Assessment – conduct a rapid assessment to see if you are on track for July 1.
  • Governance Framework Preparation – uplift your security governance in line with CPS 234.
  • Cyber Security Internal Audit – provide expert audit resources to support your team.
  • Third Party Controls Framework – implement appropriate controls over information assets managed by third parties.
  • Information Asset Classification – provide frameworks and expert staff to deliver this substantial requirement.
  • Incident Management – conduct a security incident simulation to test notification procedures and educate senior staff.


For further information on how we might assist you, please contact us at CPS234@kpmg.com.au

KPMG Australia acknowledges the Traditional Custodians of the land on which we operate, live and gather as employees, and recognise their continuing connection to land, water and community. We pay respect to Elders past, present and emerging.

©2022 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.

Liability limited by a scheme approved under Professional Standards Legislation.

For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.

Connect with us


Want to do business with KPMG?


loading image Request for proposal

Save, Curate and Share

Save what resonates, curate a library of information, and share content with your network of contacts.

Sign up today