hermes-brain/ideas/compliance/apra-cps-234.org

:PROPERTIES:
:ID:       904f5f12-ec9a-4cbf-854a-0b9b1e11a521
:ID:       auto-apra-cps-234
:CREATED:  [2026-05-23 Sat]
:END:
#+title: APRA CPS 234 (Prudential Standard — Information Security)
#+filetags: :passepartout:compliance:framework:apra:

** APRA CPS 234 (Prudential Standard — Information Security)

Australian Prudential Regulation Authority standard for regulated financial
institutions. Requires: clearly defined information security roles and
responsibilities, periodic cybersecurity capability assessments, robust control
testing, timely remediation of control weaknesses, mandatory notification of
material incidents to APRA within 72 hours.

Who must comply: Banks, insurers, superannuation funds regulated by APRA.
~500 entities.

Penalties: APRA can impose capital requirements, license conditions, or
license cancellation for non-compliance. Personal liability for board and
senior management.

Why it matters: CPS 234's control testing requirement creates demand for
continuous verification — exactly what the gate stack and [[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]]
provide. First-mover advantage: CPS 234 is mature (2019) but enforcement is
escalating. No vendor provides a deterministic control-testing pipeline.