What is APRA CPS 234?
Effective since 1 July 2019, APRA Prudential Standard CPS 234 requires every regulated entity to maintain an information security capability commensurate with the size and threats they face across every channel, including mobile. It's not optional, and it's not just a network-security checkbox. CPS 234 explicitly covers the controls, identity assurance, and incident detection your institution applies to the apps your customers use every day.
Product Suites
5
Core Requirement Categories
Capability, policy, controls, incident management, and testing — each with specific mobile implications.
10 days
APRA Notification Window
Capability, policy, controls, incident management, and testing — each with specific mobile implications.
Annual
Testing Expectation
APRA expects systematic testing of key controls - more frequently for untrusted environments like mobile.