APRA CPS 234 Compliance
We make it easy for you to meet your APRA and IT security compliance requirements, fast!

What is APRA CPS 234

CPS 234 is a mandatory regulation issued by the Australian Prudential Regulatory Authority (APRA) that commenced on 1st of July 2019. It requires organisations to improve their information security capabilities commensurate with the evolving size and extent of the threats to their assets.

How CPS 234 will
help your business

It gives your clients and suppliers peace of mind

You can win more business

It will help with winning tenders

Reduces Risk

APRA Announcement

“We are also going to take a much more targeted approach to ensuring CPS 234 is being fully complied with, and holding boards and management accountable where it is not. I can announce today that APRA will shortly be requesting one-off tripartite independent cyber security reviews across all our regulated industries. Starting next year, APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board.” – Geoff Summerhayes, APRA, 26 November 2020

Who you’re working with matters

Greenlight has undergone the CPS 234 compliance process internally, and has helped a number of our clients meet their requirements in record time.

  • Greenlight has dedicated in house compliance resources
  • You need an IT provider that understands your financial institution and is CPS 234 aware.
  • We have financial industry experience and expertise.
  • Offices in Sydney and Melbourne

Your questions answered

  • APRA’s new mandatory regulation is a direct response to the evolving threats of the modern cyber landscape and brings to the forefront the importance of strong cyber security in the information age.

    The key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity or availability of information assets, including information assets managed by related parties or third parties.

  • CPS 234 came into effect on July 1st, 2019. At the time, APRA announced a 12 month grace period for regulated entities to become compliant with the standard by July 1st, 2020. For 3rd parties acting as a supplier to regulated entities (such as Managed Service Providers) their compliance grace period has been extended to January 1st, 2021.

  • APRA have not yet determined how or when they are going to conduct checks nor have they announced any penalties. If we look at it from a historical point of view, we can assume that sometime in the future an audit process will be determined with the penalty imposed most likely being a monetary fine.

    While some large organisations may have funds set aside for this purpose, those organisations are few and far between. The reality is that most mid-sized APRA regulated entities will not be able to recover quickly from imposed fines for non-compliance.

    Now that the July 1st, 2020 grace period for organisations has passed, APRA has started increasing its conducting of checks on businesses.

  • This depends largely on the size and complexity of your organisation and the type and number of 3rd parties involved in the operations of the organisation. The process can also be accelerated if some policies already exist and only need to be updated or modified. For a mid-sized organisation with little to no existing framework, a 3 month period from analysis to completed implementation is realistic.

  • Although your IT provider doesn’t have to be CPS ready, it will greatly slow-down the process for your business. There will be additional direct and indirect costs for both you and your IT provider as you jointly go through the compliance process.

  • The first step should be to talk to your current Managed Service Provider to determine whether they are already CPS 234 compliant themselves, are in a position to start the process with you and have the expertise necessary to create and implement the required policies and procedures.

    Once both parties are ready, the next steps are:

    1. Conduct a gap analysis
    2. Structure an achievable roadmap to close any found gaps
    3. Design a CPS 234 framework and associated policies
    4. Start communicating the policies
    5. Add in new requirements to the provisioning and de-provisioning of any affected parties
    6. Start implementing the roadmap tasks

Trusted be over 300 amazing clients that love what we do

Your 3 easy steps to CPS 234 compliance

Step 1

Schedule a call

Have a conversation with our IT experts so we can understand you and your business

Step 2

We perform a gap analysis

Together we create an action plan to meet your compliance requirements

Step 3

Impelement together

We build a long lasting relationship and ensure that IT is a catalyst for your business success

We are here to help!

We’ll help you tick those compliance boxes and keep your data safe.