3 min read Compliance

APRA CPS 234 and Australian Financial Cybersecurity in 2026

APRA's CPS 234 framework defines cybersecurity expectations for Australian financial entities. Where it sits in 2026 and what compliance actually requires.

  • Australia
  • APRA
  • Cybersecurity
  • Compliance
APRA CPS 234 and Australian Financial Cybersecurity in 2026

The Australian Prudential Regulation Authority’s Prudential Standard CPS 234 — operational from July 2019 — established one of the most-prescriptive financial cybersecurity frameworks globally. APRA’s enforcement posture has been progressively more active through 2022-2026, with substantial supervisory action including the high-profile Medibank breach response and the broader sectoral expectations tightening.

For Australian regulated entities — banks, insurance companies, superannuation funds — CPS 234 plus the broader prudential framework defines the cybersecurity expectations.

I want to walk through what CPS 234 actually requires.

Australia APRA CPS 234

The framework#

CPS 234 establishes principles-based but operationally specific expectations for:

Cybersecurity policy and governance — board-level accountability, with the board having responsibility for cybersecurity risk.

Information security capability — adequate capability relative to the entity’s specific risk profile.

Information assets identification and classification — comprehensive inventory with risk-based classification.

Controls implementation — proportionate to the classification and risk.

Incident management — including the specific reporting obligations to APRA.

Third-party / vendor risk — substantial expectations on supply-chain security.

The framework has been updated through guidance and supplementary materials since 2019, with substantial 2024-2025 refinements following the Medibank and Latitude Financial breaches.

What CPS 234 compliance actually requires#

For an APRA-regulated entity:

  1. Board-level cybersecurity oversight with documented engagement.
  2. CISO or equivalent senior role with appropriate authority.
  3. Information asset inventory maintained and risk-classified.
  4. Cybersecurity control framework typically aligned to ISO 27001, NIST CSF, or similar with APRA-specific overlays.
  5. Annual penetration testing with substantial scope.
  6. Vendor risk assessments for all material third parties.
  7. Incident response capability with defined SLAs.
  8. APRA notification within specific timeframes for material incidents.
  9. Regular cyber risk reporting to the board.
  10. Independent assurance including external audits.

The compliance work is substantial. APRA-regulated entities typically maintain dedicated cybersecurity teams of meaningful scale relative to the entity size.

The breach context#

Several high-profile breaches have shaped APRA’s enforcement posture:

The 2022 Medibank breach — 9.7 million customers affected, with substantial personal data exposed. APRA’s response included substantial supervisory action and the broader sectoral implications.

The 2023 Latitude Financial breach — 14 million customer records.

The 2022 Optus breach — telco rather than APRA-regulated, but the broader policy environment was affected.

The cumulative effect has been substantial tightening of APRA expectations and a clear focus on operational resilience.

The Consumer Data Right interaction#

The Australian Consumer Data Right (CDR) framework — Australia’s open banking equivalent (covered in the CDR post) — has specific cybersecurity expectations that overlay CPS 234 for the financial-services CDR participants.

Practical engineering implications#

For an engineering team at an APRA-regulated entity in 2026:

  1. Information security capability with operational maturity matching the entity’s risk profile.

  2. Comprehensive logging and monitoring with retention meeting APRA’s expectations.

  3. Identity and access management with appropriate granularity.

  4. Vulnerability management including the regular penetration testing.

  5. Vendor risk integration with technical due-diligence work.

  6. Incident detection and response with the APRA notification capability.

  7. Resilience testing including disaster recovery exercises.

What’s coming in 2026 and 2027#

Three things to watch:

Continued APRA guidance refinements are expected.

The Critical Infrastructure framework continues to evolve with implications for cross-sector cybersecurity.

The Cyber Security Act developments produce broader Australian cybersecurity context.

Where pdpspectra fits#

Our cybersecurity engineering and compliance work spans Australia and the broader Asia-Pacific. We work with regulated entities on CPS 234 compliance architecture, technical implementation, and the operational rails.

Related reading: the UK NCSC post, the Germany BSI post, and the India RBI cybersecurity post.

APRA CPS 234 is operationally demanding. Talk to our team about your compliance.

Keep reading

Related posts.

India

India's Cybersecurity Mandate Stack: CERT-In, RBI, SEBI, and the Engineering Reality

The 6-hour reporting mandate, the RBI's CSITE master direction, SEBI's CSCRF — the regulatory cybersecurity landscape that Indian-operating companies have to internalize.

Read post →
Japan

Japan's Cybersecurity Architecture: NISC, the Active Cyber Defense Bill, and Critical Infrastructure

Japan's cybersecurity posture has tightened materially in 2024-2026. The NISC framework, the Active Cyber Defense Bill, and what enterprise security teams should know.

Read post →
Brazil

Brazil's Cybersecurity Architecture in 2026: ANPD, CGI.br, and the National Strategy

Brazil's cybersecurity framework spans ANPD, CGI.br, the Federal Police, and sector regulators. The architecture, the enforcement, and what enterprises need to know.

Read post →