APRA CPS 234 Information Security
CPS 234 places direct accountability on the Board for information security—APRA can revoke licences, impose conditions, and publicly name non-compliant entities.
APRA Prudential Standard CPS 234 Information Security mandates that all APRA-regulated financial institutions maintain information security commensurate with the size and extent of threats to their information assets. The standard places direct accountability on the Board of Directors for information security.
CPS 234 requires entities to clearly define information security roles and responsibilities, maintain security capability, implement controls to protect information assets, manage incidents, and test control effectiveness. Material incidents must be notified to APRA within 72 hours, and control weaknesses within 10 business days.
For Microsoft 365 environments, CPS 234 compliance requires Defender XDR for security capability and incident management, Conditional Access for access controls, Intune for endpoint security, and comprehensive audit logging for control effectiveness testing. StremarControl engineers and operates the Microsoft-native controls required for CPS 234 mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline for APRA compliance reporting.
Why This Matters Now
APRA CPS 234 is the mandatory information security standard for all APRA-regulated entities including banks, insurers, and superannuation funds in Australia. It requires board-level accountability for information security, security capability commensurate with threats, and notification to APRA of material incidents within 72 hours. For M365 environments, compliance requires Defender XDR for security capability, Conditional Access for access management, and Intune for endpoint security. CPS 234 compliance is non-negotiable for Australia's financial services sector.
Framework Metadata
Scope & Applicability
Applies to all APRA-regulated entities: authorised deposit-taking institutions (banks, building societies, credit unions), general and life insurers, private health insurers, and registrable superannuation entity licensees. Extends to material service providers and third parties handling information assets. M365 tenants used by APRA-regulated entities must demonstrate CPS 234 compliance.
Core Obligations
Board Accountability
The Board must ensure the entity maintains information security commensurate with the size and extent of threats to its information assets.
Information Security Capability
Maintain information security capability commensurate with the size and extent of threats. Actively manage security capability through recruitment, training, and tooling.
Incident Management
Establish mechanisms to detect, respond to, and recover from information security incidents. Notify APRA of material incidents within 72 hours.
Testing Control Effectiveness
Systematically test the effectiveness of information security controls through an assurance programme. Test frequency commensurate with risk.
Third-Party Management
Evaluate the information security capability of third parties managing information assets. Ensure adequate controls across the supply chain.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Information Security Capability
Defender XDR for advanced threat protection. Conditional Access with MFA and device compliance. Intune security baselines for endpoint hardening.
Defender threat analytics, Conditional Access evaluation logs, Intune compliance reports.
Incident Management (72-Hour Notification)
Defender XDR incident detection with Sentinel playbooks for APRA notification workflows. Automated incident classification and timeline reconstruction.
Incident timeline reports, APRA notification records, playbook execution logs.
Testing Control Effectiveness
Microsoft Secure Score for continuous control assessment. Sentinel compliance workbooks for control testing dashboards. Defender vulnerability management.
Secure Score trend reports, compliance workbook exports, vulnerability assessment results.
Implementation Timeline
Related Frameworks
ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.
Civil penalties up to AUD 50 million or 30% of adjusted turnover make privacy breaches an existential financial risk requiring direct board oversight.
A qualified SOC 2 opinion—or the absence of one—directly determines whether enterprise clients will onboard or renew your contract.
Ready to get APRA CPS 234-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against APRA CPS 234 requirements, close gaps, and produce audit-ready evidence.