The Text Never Changed. The Enforcement Did.
What CPS 234 asks you to demonstrate — and why CPS 230 sits beside it, not over it.

Can you evidence what your material service providers expose — independently? CPS 234 is built around functionally independent testing. A passive external assessment is where that evidence begins.

Assess Your Exposure →

There is a comfortable myth in Australian financial services: that APRA is a paper tiger. No fines, no headlines, no real teeth. Ask Medibank. In 2023, APRA forced it to hold an extra $250 million in capital — the first time it had ever done so for a cyber attack — and that money stays locked away until APRA is satisfied the weaknesses are fixed. That is the point most boards miss about APRA. It does not fine you. It makes you carry hundreds of millions in dead capital, puts your board’s risk culture under formal review, and — under the Financial Accountability Regime — makes named executives personally accountable, with no indemnity available. That is not a paper tiger. It is a different, sharper set of teeth.

And the standard behind it has not moved since 2019. APRA has deliberately held CPS 234 unamended and turned up the enforcement instead — most visibly through a tripartite assessment programme that has put an independent auditor inside hundreds of entities and found the same handful of gaps, over and over.

$250M
The teeth. Extra capital APRA forced Medibank to hold after its breach — the first ever for a cyber attack, still in place
Source: APRA, June 2023
300+
The dragnet. Entities audited under APRA’s tripartite programme — the same six control gaps, found over and over
Source: APRA tripartite assessments
Personal
The FAR hook. Named executives are now personally accountable for CPS 234 — and cannot be indemnified for a breach
Source: Financial Accountability Regime

The four things CPS 234 asks you to demonstrate

Stripped to its structure, the standard requires an entity to demonstrate four things. Clear roles and responsibilities, with the board ultimately responsible for information security. An information security capability commensurate with the size and extent of the threats to its information assets — explicitly including assets managed by related parties and third parties. Controls implemented and, critically, tested for design and operating effectiveness by appropriately skilled and functionally independent specialists. And prompt notification to APRA: within 72 hours of a material incident, and within 10 business days of identifying a material control weakness that cannot be remediated in time.

The obligations that most often go under-evidenced

  • Third-party capability. Where information assets are managed by a service provider, you must assess that provider’s security capability against the consequences of an incident. This applies to all such assets — not only those inside a formal outsourcing arrangement.
  • Independent testing. Testing must be conducted by functionally independent specialists, and results identifying deficiencies that cannot be remediated promptly must be escalated to the board or senior management. Management testing its own controls is not what the standard describes.
  • Internal audit review. Internal audit must review the design and operating effectiveness of information security controls, including those maintained by third parties.

CPS 234 did not get smaller. CPS 230 arrived beside it.

A frequent and costly misreading is that CPS 230, which took full effect on 1 July 2026, somehow supersedes CPS 234. It does not. The two standards are complementary and both binding. CPS 234 governs information security specifically; CPS 230 governs the broader field of operational risk, business continuity and service-provider management. They are engineered to interlock — strong information security under CPS 234 feeds directly into operational resilience under CPS 230 — and APRA has confirmed the one practical overlap in the entity’s favour: an incident notified under CPS 234 does not need to be separately reported under CPS 230.

Enforcement is not hypothetical APRA’s tripartite assessment programme, covering several hundred entities, has surfaced widespread and systemic control gaps — and the consequences are real. The capital add-on applied to Medibank after its breach established that an information-security failure translates directly into a prudential and financial outcome. APRA’s 2025 letters to the superannuation industry, focused on authentication and multi-factor controls, show where its attention currently sits.
The gap was assessed. Twice. It just wasn’t fixed. Medibank is the case that should end the debate about whether any of this bites. The root-cause analysis of its 2022 breach — later ruled discoverable, not privileged — found the attacker walked in through stolen credentials for an account with no multi-factor authentication. That exact weakness had been flagged in the company’s own prior assessments in 2020 and 2021, and left unremediated. The independent reviews then arrived in force after the fact: Deloitte’s post-incident review, a root-cause analysis, and a standalone external review of CPS 234 compliance — followed by APRA’s $250 million capital add-on and a targeted review of governance and risk culture. Assessment was never the missing piece. Acting on it, and independently confirming it had been acted on, was.

The independent-assessment requirement, read plainly

CPS 234 does not merely permit independent assessment. Its testing and assurance obligations are built around independence: controls tested by functionally independent specialists, weaknesses escalated to the board, and third-party capability assessed rather than assumed. An entity that can only produce management’s own account of its posture has not met the standard as written — it has described an intention to.

A BlackFlag Advisory assessment contributes the external half of that picture. Passively and without accessing any system, it establishes what your entity and your material service providers expose to the open internet, rated as risk and mapped to CPS 234 and CPS 230. It does not replace internal testing; it supplies the functionally independent, outside-in view that internal testing cannot see — the same view an attacker assembles before choosing where to push.

Sources & references

Is Your CPS 234 Posture
Independently Tested, or Assumed?

A BlackFlag Advisory assessment gives your Board the functionally independent, outside-in view CPS 234 is built around — mapped to your obligations, before an incident makes it a notification.

Request an Assessment →
Passive Only — No Systems Accessed

All BlackFlag Advisory assessments use exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. Board-ready output delivered within three to seven business days.