Share with your friends

APRA CPS 234 Information Security

APRA CPS 234 Information Security

KPMG can help you achieve 1 July 2019 compliance with APRA Prudential Standard CPS 234.


Also on

Illustration of a secure laptop underneath a red umbrella

APRA has released the final version of its prudential standard focused on information security management (CPS 234).

CPS 234 is intended to shore up APRA-regulated entities’ resilience against information security incidents (including cyber-attacks) and their ability to respond swiftly and effectively in the event of a breach. Compliance is not an IT problem and requires a rapid, whole of organisation response. The board, senior management, audit, and operational functions are all directly impacted by this standard.

This Prudential Standard commences on 1 July 2019.

Key requirements of CPS 234

  • Roles and Responsibilities: From July 1, 2019, the board will be accountable for information security and cyber incidents.
  • Information Security Capability: Your security capability must be appropriate for your organisation and its risks.
  • Classification of All information Assets: All information assets must be classified by criticality and sensitivity including those managed by third parties.
  • Internal Audit: Subject matter experts must conduct information security specific assurance.
  • Controls Testing: Testing of information security controls must be appropriate, structured, orderly, comprehensive, and conducted by specialists.
  • APRA Notifications: You are required to notify APRA of information security incidents and, in some circumstances, security control weaknesses.

How can we help?

KPMG has the expertise and resources to help you prepare for CPS 234. Talk to us today about:

  • CPS 234 Gap Assessment – conduct a rapid assessment to see if you are on track for July 1.
  • Governance Framework Preparation – uplift your security governance in line with CPS 234.
  • Cyber Security Internal Audit – provide expert audit resources to support your team.
  • Third Party Controls Framework – implement appropriate controls over information assets managed by third parties.
  • Information Asset Classification – provide frameworks and expert staff to deliver this substantial requirement.
  • Incident Management – conduct a security incident simulation to test notification procedures and educate senior staff.


For further information on how we might assist you, please contact us at

© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. Liability limited by a scheme approved under Professional Standards Legislation.

KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.

Connect with us


Want to do business with KPMG?


loading image Request for proposal