For financial institutions operating in Australia, APRA CPS 234 is the foundational information security standard. Understanding what it requires — particularly around security testing — is essential for compliance. This article presents only verified facts.
What CPS 234 Is
CPS 234 is a mandatory information security regulation issued by the Australian Prudential Regulation Authority (APRA). It took effect on 1 July 2019. It requires organisations in the financial and insurance sectors to strengthen their information security frameworks to protect themselves and their customers from cyber threats.
APRA is a statutory authority established by the Australian Government in 1998. It supervises institutions performing activities related to insurance, superannuation, and banking.
Who Must Comply
CPS 234 applies to any APRA-regulated financial institution — banks, insurance companies, and superannuation funds — and to material service providers. The standard also extends to outsourced and cloud environments: entities remain responsible for ensuring equivalent controls where their data lives with third parties.
The Testing Requirement
CPS 234 mandates that entities regularly test the effectiveness of their information security controls. This includes regular penetration testing, vulnerability assessments, and third-party assurance activities. Testing must occur regularly and after material system changes.
Importantly, CPS 234 requires testing by independent specialists where warranted. This independence requirement is significant — it means that internal testing alone may not satisfy the standard for higher-risk systems, and that engaging qualified external security specialists is often necessary.
The Core Requirements
CPS 234 organises its expectations around several requirement categories: clearly defined information security roles and responsibilities for the board, senior management, and staff; maintaining an information security capability proportional to the size and risk profile of the institution; identifying and classifying information assets by criticality and sensitivity; implementing controls matched to threats and vulnerabilities; regularly testing control effectiveness; maintaining an incident management framework; and notifying APRA of incidents.
On notification: CPS 234 requires specific notification to APRA within 72 hours for material incidents and within 10 business days for identified control weaknesses.
APIs Are In Scope
A point often overlooked: APIs are information assets under CPS 234 and must be identified, classified, and protected. As financial institutions expose more functionality through APIs, the security testing of those APIs becomes a direct compliance consideration.
How Simuna Infosec Helps
As an independent security specialist, Simuna Infosec provides exactly the kind of third-party testing CPS 234 calls for. Our human-led methodology tests the effectiveness of information security controls against real-world attack techniques, and our experience securing major banks across multiple regions translates directly to the rigour APRA-regulated entities require. We test web applications, APIs, mobile applications, and infrastructure — providing the audit-ready evidence of control effectiveness that the standard expects.
*This article reflects publicly available information as of mid-2026. Regulatory details evolve; consult qualified legal counsel for compliance decisions.*