There is a comfortable myth in Australian financial services: that APRA is a paper tiger. No fines, no headlines, no real teeth. Ask Medibank. In 2023, APRA forced it to hold an extra $250 million in capital — the first time it had ever done so for a cyber attack — and that money stays locked away until APRA is satisfied the weaknesses are fixed. That is the point most boards miss about APRA. It does not fine you. It makes you carry hundreds of millions in dead capital, puts your board’s risk culture under formal review, and — under the Financial Accountability Regime — makes named executives personally accountable, with no indemnity available. That is not a paper tiger. It is a different, sharper set of teeth.
And the standard behind it has not moved since 2019. APRA has deliberately held CPS 234 unamended and turned up the enforcement instead — most visibly through a tripartite assessment programme that has put an independent auditor inside hundreds of entities and found the same handful of gaps, over and over.
The four things CPS 234 asks you to demonstrate
Stripped to its structure, the standard requires an entity to demonstrate four things. Clear roles and responsibilities, with the board ultimately responsible for information security. An information security capability commensurate with the size and extent of the threats to its information assets — explicitly including assets managed by related parties and third parties. Controls implemented and, critically, tested for design and operating effectiveness by appropriately skilled and functionally independent specialists. And prompt notification to APRA: within 72 hours of a material incident, and within 10 business days of identifying a material control weakness that cannot be remediated in time.
The obligations that most often go under-evidenced
- Third-party capability. Where information assets are managed by a service provider, you must assess that provider’s security capability against the consequences of an incident. This applies to all such assets — not only those inside a formal outsourcing arrangement.
- Independent testing. Testing must be conducted by functionally independent specialists, and results identifying deficiencies that cannot be remediated promptly must be escalated to the board or senior management. Management testing its own controls is not what the standard describes.
- Internal audit review. Internal audit must review the design and operating effectiveness of information security controls, including those maintained by third parties.
CPS 234 did not get smaller. CPS 230 arrived beside it.
A frequent and costly misreading is that CPS 230, which took full effect on 1 July 2026, somehow supersedes CPS 234. It does not. The two standards are complementary and both binding. CPS 234 governs information security specifically; CPS 230 governs the broader field of operational risk, business continuity and service-provider management. They are engineered to interlock — strong information security under CPS 234 feeds directly into operational resilience under CPS 230 — and APRA has confirmed the one practical overlap in the entity’s favour: an incident notified under CPS 234 does not need to be separately reported under CPS 230.
The independent-assessment requirement, read plainly
CPS 234 does not merely permit independent assessment. Its testing and assurance obligations are built around independence: controls tested by functionally independent specialists, weaknesses escalated to the board, and third-party capability assessed rather than assumed. An entity that can only produce management’s own account of its posture has not met the standard as written — it has described an intention to.
A BlackFlag Advisory assessment contributes the external half of that picture. Passively and without accessing any system, it establishes what your entity and your material service providers expose to the open internet, rated as risk and mapped to CPS 234 and CPS 230. It does not replace internal testing; it supplies the functionally independent, outside-in view that internal testing cannot see — the same view an attacker assembles before choosing where to push.
Sources & references
- APRA — Prudential Standard CPS 234 Information Security
- APRA — Prudential Standard CPS 230 Operational Risk Management (in force 1 July 2026)
- APRA — Prudential Practice Guide CPG 234 Information Security
- APRA — Industry letters on information security and authentication controls
- APRA — Action against Medibank Private ($250M capital add-on, June 2023)
- McClure v Medibank Private Limited [2025] FCA 167 — prior 2020/2021 assessments flagged the unremediated MFA gap