GadgetAccess Cyber Security Advisory
1800 928 982 Book a Diagnostic
Sectors Financial Services
Financial Services Security Advisory

APRA is watching.
Is your security programme ready?

Australian financial services organisations face the most prescriptive cyber security regulatory environment in the country. APRA CPS 234 is not a framework to aspire to — it is a mandatory obligation with enforcement consequences. We help banks, insurers, superannuation funds and AFSL holders build security programmes that genuinely satisfy regulatory scrutiny, not just survive it.

Book a Financial Services Briefing Security Gap Analysis

Regulatory Obligations

APRA CPS 234Information security capability & testing
APRA CPS 220Risk management framework
ASD Essential EightIncreasingly expected by regulators
Privacy Act & NDBNotifiable Data Breaches scheme
AUSTRAC AML/CTFTransaction monitoring security
CDR / Open BankingConsumer data right security
The Reality

APRA's enforcement posture
has fundamentally shifted

For most of its existence, APRA CPS 234 was treated by regulated entities as a compliance framework — something to satisfy at audit time. That era is over. APRA's enforcement record since 2021 demonstrates clearly that the regulator is prepared to impose directed remediation programmes, capital add-ons and public determinations on entities whose security posture does not meet expectations.

The financial services sector is also the primary target of the most sophisticated cyber adversaries operating in the Australian threat landscape — criminal groups motivated by financial gain and state-sponsored actors interested in financial system stability. The combination of regulatory pressure and threat actor attention makes this sector one where the consequences of an inadequate security programme are uniquely severe.

Most CPS 234 compliance programmes are not as mature as the entities running them believe. Self-assessment against APRA's requirements consistently shows a pattern of strong documentation and weak technical control implementation — a gap that APRA's own supervisory activity is increasingly focused on closing.

  • Build a security programme that survives APRA supervisory scrutiny, not just an internal assessment
  • Demonstrate information security capability commensurate with your size and threat environment
  • Implement and evidence a testing programme that meets CPS 234 requirements
  • Establish board-level security oversight that satisfies APRA governance expectations
  • Prepare notification frameworks for material information security incidents

APRA CPS 234 — Enforcement Timeline

2019
CPS 234 Comes Into Force

All APRA-regulated entities required to maintain information security capabilities, classify assets and notify APRA of material incidents within 72 hours.

2020
First Cross-Industry Review

APRA's first systematic review of CPS 234 compliance finds material gaps in testing programmes, third-party risk management and board oversight across regulated entities.

Gaps identified at majority of entities reviewed
2022
First Public Enforcement Action

APRA imposes a $25M additional capital requirement on Medibank in response to the 2021-22 data breach, citing inadequate information security governance and controls.

$25M capital add-on · Public determination
2023
Prudential Practice Guide Released

CPG 234 published — providing significantly more granular guidance on APRA's expectations for information security controls, testing and board reporting.

2024
Supervisory Intensity Increases

APRA signals increased supervisory focus on cyber risk as part of its 2024-2028 Corporate Plan, with targeted cyber reviews becoming standard for all regulated entities.

Targeted reviews now standard practice
APRA CPS 234 — Key Obligations

What CPS 234 actually requires
of your organisation

CPS 234 is structured around four core obligation areas. Each carries specific implementation and evidence requirements that APRA's supervisory reviews now test with increasing rigour.

Obligation 1

Information Security Capability

Entities must maintain information security capability commensurate with the size and extent of threats to their information assets — and actively test and update that capability over time. APRA expects this to be formally documented and reviewed at least annually.

Obligation 2

Information Asset Classification

All information assets must be classified according to their criticality and sensitivity. The classification framework must be applied consistently and used to determine the level of security controls applied to each asset category.

Obligation 3

Implementation of Controls

Security controls must be implemented to protect information assets commensurate with their classification. Controls must address the full threat landscape — not just those threats most commonly discussed in vendor marketing.

Obligation 4

Testing Programme

A systematic testing programme must validate the effectiveness of all security controls — including controls implemented by third parties. Testing must be risk-based, cover all critical assets and produce findings that are actioned within defined timeframes.

Obligation 5

Incident Notification

Material information security incidents must be notified to APRA within 72 hours of becoming aware of them. Entities must have documented incident response and notification procedures — and test them. A 72-hour clock on an untested procedure is a material risk.

Obligation 6

Board & Management Accountability

The Board must be responsible for ensuring the entity maintains adequate information security. Management must provide the Board with regular reporting on the security posture. Both must be demonstrably engaged — not passively informed.

⚠️ Most Common CPS 234 Gaps Identified in APRA Supervisory Reviews

Testing programme that covers documentation but not technical controls
Third-party risk management that relies on vendor attestations rather than independent testing
Information asset classification frameworks that are not consistently applied
Board reporting that summarises security posture without evidence of independent assurance
Incident notification procedures that have never been tested in a simulation
Security capability assessments that are self-certified rather than independently validated
Services for Financial Services

What we deliver to banks,
insurers and superannuation funds

Our financial services practice is built around the specific obligations, threat landscape and board-level scrutiny that APRA-regulated entities face. Every engagement is scoped to your regulatory position, not a generic framework.

📋

APRA CPS 234 Gap Assessment

A structured assessment of your compliance posture against all six CPS 234 obligation areas — tested against the evidentiary standard APRA's supervisors apply, not your internal self-assessment criteria. Delivered with a prioritised remediation roadmap.

View Compliance Service ↗
🔍

Security Gap Analysis

A comprehensive assessment of your security posture against APRA CPS 234, ASD Essential Eight and ISO 27001 — cross-mapped to reduce duplication and delivered as a board-ready remediation plan that speaks in the language of regulatory consequence.

View Gap Analysis ↗
🧭

vCISO Advisory

Strategic security leadership for regulated entities that need CISO-level capability at the board table — without the permanent overhead. Our financial services vCISOs have direct APRA engagement experience and understand the language regulators expect.

View vCISO Service ↗
⚙️

SOC Optimisation

Financial services SOCs face among the highest alert volumes in the market — with threat actors specifically targeting payment systems, customer data and trading infrastructure. We identify where your SOC's operational drag is creating detection risk.

View SOC Optimisation ↗
🛡️

Threat Intelligence & Detection

We operationalise threat intelligence relevant to financial sector threat actors — covering financially motivated criminal groups, BEC actors and the state-sponsored adversaries targeting Australian financial market infrastructure.

View Detection Service ↗
📊

Vendor Rationalisation

Financial services security stacks are among the most complex in the Australian market — the product of years of regulatory-driven tool acquisition. We identify where you are paying for redundancy and build the business case for consolidation without reducing coverage.

View Vendor Service ↗
The Compliance Lifecycle

CPS 234 compliance is not
a point-in-time event

The most common — and most costly — mistake regulated entities make is treating CPS 234 compliance as an annual assessment exercise. APRA expects continuous capability maintenance and evidence of active engagement with security obligations year-round.

1

Obligation Mapping & Baseline Assessment

We establish your complete CPS 234 obligation set — including the third-party obligations that many entities underestimate — and assess your current compliance position against each requirement. Most entities discover gaps they were unaware of at this stage.

2

Control Design & Gap Remediation

We design controls that satisfy APRA's requirements — not just document what exists. Remediation is phased by risk priority, with the gaps most likely to attract APRA scrutiny addressed first. We own the remediation tracking alongside your team.

3

Testing Programme Design & Execution

We design a testing programme that satisfies CPS 234's requirements — covering technical controls, third-party controls and the incident notification process. We support execution and document evidence in the format APRA supervisors expect to see.

4

Board Reporting & Attestation Support

We produce board-ready security reporting that gives your directors the picture they need to meet their CPS 234 governance obligations — and prepare your attestation documentation if required by APRA.

5

Ongoing Assurance & APRA Engagement

We maintain an ongoing assurance programme — quarterly control testing, annual assessment updates and ad-hoc support for APRA enquiries, information requests and directed reviews. You are never facing APRA unprepared.

Evidence We Help You Maintain

APRA supervisors do not accept assertion — they require evidence. The table below shows the evidence categories we help regulated entities build and maintain on a continuous basis.

Obligation area Evidence we produce
Capability Annual capability assessment report with independent attestation
Asset classification Information asset register with classification decisions documented
Controls Control framework documentation with implementation evidence
Testing Testing programme calendar, results log and remediation tracking
Third parties Third-party security assessment results and follow-up evidence
Incidents Incident log, notification records and lessons-learned documentation
Board Quarterly board reporting pack with APRA-relevant metrics

Third-Party Risk — The Hidden Gap

CPS 234 requires regulated entities to ensure that their information assets are protected by third parties to the same standard as internally managed assets. Most entities rely on vendor attestations — SOC 2 reports, ISO 27001 certificates — rather than independent testing. APRA's supervisory guidance is clear that attestations alone are insufficient.

Discuss Third-Party Risk →
Case Study

ASX-listed financial services group recovers from APRA-directed remediation programme

Following a directed remediation programme imposed by APRA after a 2022 supervisory review, a mid-tier Australian financial services organisation engaged GadgetAccess to rebuild their CPS 234 compliance programme from the ground up — with a 12-month timeline to demonstrate remediation to APRA's satisfaction.

We delivered a complete evidence-backed compliance programme — including a redesigned testing programme, board governance framework and third-party risk management capability — that satisfied APRA's requirements within the required timeframe.

Discuss a Similar Engagement →
12months
From directed remediation to APRA sign-off on the rebuilt compliance programme — within the regulator's required timeframe.
100%coverage
All CPS 234 obligation areas addressed with documented evidence — including third-party controls that had not been independently tested previously.
6reports
Board security reporting redesigned and delivered quarterly — providing directors with the independent assurance picture APRA requires.

GadgetAccess understood what APRA was actually looking for — not what we thought they wanted. The difference between the two was significant. Their approach to evidence design saved us from building another programme that would have failed the same test.

— Chief Risk Officer, ASX-listed financial services group
Other Sectors

We also work with

🏛️

Government & Defence

IRAP · Essential Eight · PSPF 🏥

Healthcare & Life Sciences

Privacy Act · SOCI Act · My Health Records

Critical Infrastructure

SOCI Act · OT Security · ASD ⚖️

Professional Services

ISO 27001 · Privacy Act · Client SLAs
Financial Services Advisory

Built for APRA. Ready for APRA.

Our financial services advisory is designed around what APRA actually looks for — not what a generic compliance framework requires. Book a briefing and we'll show you where your programme stands against that standard.

Book a Financial Services Briefing Compliance & Risk Service

Briefings prepared specifically for your regulatory position and programme maturity. Typical response within one business day.