APRA CPS 234 in 2026: The Six Common Gaps and Why Compliance Is Harder Than It Looks

When CPS 234 took effect on 1 July 2019, it was a milestone — APRA's first mandatory cross-industry prudential standard for information security. For the first time, every APRA-regulated entity faced a binding obligation to maintain information security capability commensurate with the size and extent of threats to its information assets. The Standard placed ultimate responsibility on the board, required identification and classification of information assets, imposed a 72-hour notification obligation for material security incidents, and extended these duties to third parties managing the entity's information.

What CPS 234 did not do — at least not directly — was tell entities precisely how to demonstrate compliance, or how good was good enough. The Standard is principles-based by design: 42 paragraphs spanning roughly seven pages, supported by Prudential Practice Guide CPG 234 which provides observations on good practice. Within that envelope, APRA has gradually built out the supervisory architecture that turns the Standard's principles into operational expectations. That architecture is what has changed materially since 2019, and it is where most of the current compliance work sits.

This piece walks through the current state of CPS 234 compliance: what the Standard still requires, the six common gaps APRA's independent tripartite assessment programme has surfaced across 300+ regulated entities, the overlapping obligations from the Financial Accountability Regime and CPS 230, the enforcement signals from recent supervisory action, and what an effective compliance programme looks like in 2026 — particularly for entities preparing for FAR attestation, an ASAE assurance engagement, or supervisory review.

Where Things Stand Now

The CPS 234 compliance environment has been reshaped by a series of overlapping developments since the Standard came into force.

• 1 July 2019

  CPS 234 in force

  Prudential Standard CPS 234 Information Security commenced. The Standard applies to all APRA-regulated entities — ADIs, general insurers, life insurers, private health insurers, RSE licensees, and authorised or registered NOHCs.

• 2022 onwards

  Tripartite assessment programme rollout

  APRA progressively rolled out independent tripartite assessments of CPS 234 compliance across the regulated population, with the first tranche completed by mid-2023 covering ~24% of in-scope entities. The programme has continued through subsequent tranches.

• October 2023

  Medibank capital charge precedent

  APRA imposed an additional $250 million regulatory capital charge on Medibank following the October 2022 cyber incident — establishing that CPS 234 non-compliance findings carry direct, material capital consequences. The capital adjustment remains in place pending APRA's satisfaction that remediation has been completed.

• 1 July 2025

  CPS 230 in force

  Prudential Standard CPS 230 Operational Risk Management commenced, adding overlapping obligations around critical operations identification, material service provider management, business continuity, and 24-hour disruption notification. Entities subject to both CPS 234 and CPS 230 must navigate the interactions carefully.

• June 2025

  APRA's FAR-CPS 234 letter

  APRA wrote to RSE licensees explicitly linking the Financial Accountability Regime to CPS 234 compliance, requiring entities to advise APRA of the Accountable Person(s) with responsibilities for CPS 234 compliance and specifying which aspects of compliance each person covered. This made individual executive accountability for information security explicit for the first time.

• January 2026

  Cyber Security Act 2024 — ransomware reporting Phase 2 active

  Phase 2 active enforcement of mandatory ransomware payment reporting under the Cyber Security Act 2024 commenced. Entities with annual turnover above $3m must report any ransomware payment to ASD/ACSC within 72 hours. The obligation runs alongside, not in place of, the existing CPS 234 72-hour APRA notification for material information security incidents.

• 30 April 2026

  CPS 230 targeted amendments finalised

  APRA finalised targeted amendments to CPS 230, CPG 230, and the related guidance package. The amendments clarify the boundary between CPS 230 and CPS 234 in third-party contexts and adjust expectations for non-traditional service providers. Existing service provider contractual arrangements must comply with CPS 230 by the earlier of 1 July 2026 or the next renewal date.

What CPS 234 Still Requires

The Standard's 42 paragraphs are unchanged, but it's worth being precise about what they oblige entities to do — because the same obligations now sit inside a supervisory regime that examines implementation depth and personal accountability in ways that didn't exist in 2019.

Governance and roles (paragraphs 13–15)

The Board is ultimately responsible for information security. The entity must clearly define and document the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals. APRA's FAR linkage made this requirement individual — at least one named Accountable Person now sits behind it.

Information security capability (paragraphs 16–17)

The entity must maintain information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity. Capability includes skills, tools, processes, and the operational arrangements that make them effective. Where capability is delivered by third or related parties, the entity must assess that capability.

Policy framework (paragraph 18)

The entity must have an information security policy framework commensurate with the entity's exposures to vulnerabilities and threats. The framework must provide direction on the responsibilities of all parties — including staff, contractors, third parties, customers — who have an obligation to maintain information security.

Information asset identification and classification (paragraphs 19–22)

The entity must identify and classify its information assets — including those managed by third or related parties — by criticality and sensitivity. Classification informs the controls applied. The obligation extends to non-sensitive, non-critical assets where their compromise could affect critical or sensitive assets.

Implementation of controls (paragraphs 23–26)

The entity must have information security controls to protect its information assets, including those managed by third or related parties. Controls must be commensurate with the vulnerabilities, threats, criticality, sensitivity, and lifecycle stage of the information asset. Where controls are designed, operated or assessed by a third or related party, the entity must evaluate the design and operating effectiveness of those controls.

Incident management (paragraphs 27–32)

The entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner. Incident management must include plans, procedures and capabilities for detection, response, recovery and post-incident review. Plans must be reviewed and tested at a frequency that reflects the rate at which the entity's information assets, vulnerabilities, threats, and impacts may change.

Testing control effectiveness (paragraphs 33–35)

The entity must test the effectiveness of its information security controls through a systematic testing program. Testing frequency must reflect the rate at which threats and vulnerabilities change, the criticality and sensitivity of the information asset, the consequences of incident, the risks of exposure to environments where the entity cannot enforce its policies, and the materiality and frequency of change to information assets. Results must be communicated to the Board and management.

Internal audit (paragraphs 36–39)

The entity's internal audit activities must include review of the design and operating effectiveness of information security controls, including those maintained by third or related parties. Internal audit must include review of the appropriateness of the entity's information security capability.

APRA notification (paragraphs 40–42)

The entity must notify APRA of material information security incidents as soon as possible but no later than 72 hours after becoming aware of an incident that materially affected (or could have materially affected) the entity, or that has been notified to another regulator (domestic or overseas). The entity must notify APRA of material information security control weaknesses within 10 business days of becoming aware of them.

The Six Common Gaps

APRA's tripartite assessment programme has now produced enough cross-population data for a clear picture of where compliance most commonly falls short. APRA itself has highlighted six common gaps across the regulated population. These are the patterns that show up repeatedly — not exotic failures but structural weaknesses in how compliance work is organised.

1. Incomplete identification and classification of critical and sensitive information assets. Asset inventories are often partial, out of date, or limited to systems rather than information itself. Third-party-held assets are frequently missing entirely. Classification schemas exist but aren't applied consistently across the estate.
2. Limited assessment of third-party information security capability. Vendor security reviews rely heavily on questionnaires and self-attestation. Independent assurance (SOC 2, ISO 27001 certification, ASAE 3402 reports) is collected but not critically evaluated against the entity's specific control expectations. Third-party material service providers under CPS 230 add further complexity.
3. Inadequate definition and execution of control testing programs. Testing happens but follows audit-cycle rhythms rather than threat-driven frequencies. Success criteria are vague. Results don't reliably feed back into control redesign. Testing is biased toward what's easy to test rather than what materially matters.
4. Incident response plans not regularly reviewed or tested. Plans exist on paper. Tabletop exercises happen annually if at all. Plans don't reflect actual current threat scenarios, current technical architectures, or current personnel. When real incidents occur, plans turn out to be partly fictional.
5. Limited internal cyber audit review of information security controls. Internal audit's information security coverage is often thin in technical depth, leaning on summary policy review rather than design and operating effectiveness testing of controls. Where internal audit is outsourced, depth varies widely by provider.
6. Inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner. Materiality assessment under time pressure is inconsistent. Internal escalation paths slow notification beyond the 72-hour and 10-business-day windows. The threshold for "material weakness" is interpreted variably across entities.

Each gap is, on its own, addressable. The reason they persist is that addressing them requires sustained investment in the unglamorous parts of an information security programme — asset inventories, evidence quality, testing rigour, audit depth — at the same time as the entity is also fighting incidents, deploying new systems, and managing budget pressure. The entities that score well on the tripartite assessments are the ones that have made these unglamorous areas operating-rhythm priorities, not project work.

The FAR Layer — Individual Accountability

Of all the changes since 2019, the Financial Accountability Regime has probably had the most direct effect on how CPS 234 compliance is being managed at senior levels. APRA's June 2025 letter to RSE licensees required them to advise APRA of the Accountable Person(s) with responsibilities for CPS 234 compliance, specifying which aspects of compliance each person covered if more than one was named. The pattern has propagated across the broader APRA-regulated population.

The practical effect is that "the entity" is no longer the only locus of accountability for information security. Specific named individuals now sit behind specific obligations, with personal regulatory consequences for failures within their scope. That sharpens the work in two directions:

• FAR Accountable Persons need defensible evidence. Personal accountability for CPS 234 compliance turns the question "what does our programme look like?" into "what can I personally show?". The evidence trail, the review cadence, the testing programme, the incident response readiness — these become things the named individual needs to be able to demonstrate in detail. Self-assessments that haven't been independently challenged, controls that haven't been tested, plans that haven't been exercised: these are the gaps where personal accountability bites hardest.
• The board needs accountability mapping. Boards now need to know, not just that CPS 234 obligations are being met, but who specifically is responsible for which obligations and what assurance they receive about that person's performance. Audit committees and risk committees increasingly request named-person reporting against CPS 234 obligation areas — and that means mapping the Standard's nine assessable obligation areas to specific FAR Accountable Persons, with consolidated evidence visibility.

The Independent Assessment Question

The tripartite programme established a model — independent third-party assessment, ASAE reporting standards, comprehensive coverage of the Standard. For entities that have already been through a tripartite assessment, the question is whether and how often to repeat that exercise. For entities that have not, the question is whether to wait for APRA to schedule one or to commission an equivalent independent assessment proactively.

The 310-series prudential standards on audit (APS 310, GPS 310, LPS 310, SPS 310, HPS 310) already require the Appointed Auditor to provide APRA with limited assurance on the effectiveness of all Prudential Standards — including CPS 234. That assurance, however, is necessarily limited in depth. A comprehensive ASAE 3000 reasonable-assurance engagement scoped specifically against CPS 234 is a different artefact entirely, and increasingly common as an internal audit instrument or pre-tripartite preparation.

Either way, the question of independence has become structurally embedded in CPS 234 compliance. Self-assessment results are an input, not the deliverable.

What to Do This Quarter

For APRA-regulated entities preparing for the next supervisory cycle, the following five steps focus effort where it has the most leverage.

1. Confirm FAR Accountable Person mapping for CPS 234. If the named person(s) and their scope of accountability isn't clear at board level, fix that first. Map each of the nine obligation areas to a specific Accountable Person and document the evidence they rely on. Where the same person carries multiple obligations, make sure their support model — staff, advisors, evidence access — is commensurate.
2. Run a six-common-gap diagnostic. Treat APRA's six common gaps as a diagnostic question set. Where do you actually sit on each one? What evidence would you put in front of a tripartite assessor? Where the answer is "we'd struggle to evidence this", that's the priority remediation work.
3. Re-baseline the information asset inventory. Asset identification and classification is the single most common gap, and the foundation everything else builds on. A current, complete inventory — including third-party-held assets — is non-negotiable. If yours isn't, this quarter is the time to start.
4. Test an incident response plan that actually reflects today. Exercise the plan against a current realistic scenario — not the scenario you exercised three years ago. Include third-party dependencies and the APRA notification path. Capture what didn't work and feed it back into the plan. Repeat the cycle on a defined frequency.
5. Confirm the third-party assurance trail. For each material service provider whose systems touch in-scope information assets, what is the current evidence of their information security capability? When was it last critically evaluated against your specific control expectations? CPS 230's material service provider register due 1 October 2025 has surfaced gaps that need closure before the next supervisory engagement.

The Bottom Line

CPS 234 looked relatively new in 2019. In 2026 it is foundational — the bedrock obligation that intersects with FAR, CPS 230, the Cyber Security Act 2024, and APRA's evolving supervisory architecture. Compliance is not just an entity question; it is a named-person question, an evidence question, and an assurance question. The entities that have been moving steadily on the six common gaps and on FAR mapping are well placed. The ones treating CPS 234 as a 2019 standard that hasn't changed are increasingly exposed.

The right operating rhythm is continuous, not cyclical. A quarterly cadence of structured self-assessment with periodic independent challenge, board-visible evidence, and named-person accountability is what the regulator expects to see. The cost of getting there is meaningfully smaller than the cost of being caught short — whether by a tripartite assessment finding, a capital charge precedent like Medibank, or a FAR consequence flowing back to a named individual.