APRA CPS 234 explained: what Australian insurance brokers need to know

CPS 234 is the Australian Prudential Regulation Authority (APRA) Prudential Standard that sets information security requirements for APRA-regulated entities, including insurance brokers, general insurers, life insurers, banks, and superannuation funds. It took effect in July 2019 and applies in full to all regulated entities, with no carve-out for size or complexity.

For Sydney insurance brokers, CPS 234 compliance is not a one-time project. It's an ongoing accountability that the board of the entity carries personally. This guide explains what CPS 234 actually requires, what changed in 2023 when APRA introduced the tripartite review framework, and what the standard means for smaller brokers and authorised representatives.

Key facts

• CPS 234 is APRA's Prudential Standard on Information Security, mandatory for all APRA-regulated entities since 1 July 2019.
• The board of the regulated entity is ultimately accountable for compliance. Outsourcing IT does not transfer the accountability.
• CPS 234 covers four main areas: information security capability, policy framework, identification of vulnerabilities and incidents, and notification to APRA.
• The maximum APRA notification window for material information security incidents is 72 hours.
• APRA introduced a tripartite review framework in mid-2023, requiring regulated entities to engage an independent third party to assess their CPS 234 controls.
• Smaller insurance brokers under an Australian Financial Services Licence (AFSL) holder may not be directly APRA-regulated, but they often inherit CPS 234 obligations through their licensee or their general insurer relationships.

What is APRA CPS 234?

CPS 234 is the Australian Prudential Regulation Authority's binding information security standard for the financial entities it regulates. The standard was finalised in November 2018 and took effect on 1 July 2019. It replaced earlier non-binding guidance and made information security a board-level accountability backed by enforceable obligations.

The standard reflects APRA's view that information security has become inseparable from financial stability. A successful cyber attack on a general insurer, a life insurer, or a bank can affect customers, counterparties, and the broader financial system in ways that demand the same regulatory rigour as capital adequacy or operational risk. CPS 234 puts cyber on the same footing.

The full text of the standard is on the APRA website at apra.gov.au, and APRA also publishes practice guides (the CPG 234 series) that explain expected implementations of the standard's requirements. Both are required reading for anyone responsible for CPS 234 compliance within a regulated entity.

Who does CPS 234 apply to?

CPS 234 applies to all entities directly regulated by APRA. This includes authorised deposit-taking institutions (banks, credit unions, building societies), general insurers, life insurers, private health insurers, superannuation funds, and the holding companies of these entities.

The standard does not directly apply to: financial planners (regulated by ASIC), insurance brokers operating under an AFSL (regulated by ASIC), or service providers to APRA-regulated entities (unless they're themselves APRA-regulated).

The catch is what we call "inherited CPS 234". An insurance broker who places business with multiple APRA-regulated insurers will find that their insurer counterparties expect the broker to maintain controls aligned to CPS 234 principles. The broker isn't directly regulated, but the insurer's CPS 234 obligation (specifically the requirement to assess third-party information security capability) flows down as a contractual expectation. In practice, brokers who want to maintain agency arrangements with major insurers end up implementing CPS 234-aligned controls regardless of their direct regulatory status.

The same dynamic applies to service providers (IT companies, outsourced operations, software vendors) supplying APRA-regulated entities. The standard requires the regulated entity to assess and manage information security risk from its third parties, which translates into supplier security questionnaires, contractual security obligations, and sometimes third-party audits.

What does CPS 234 actually require?

The standard sets out requirements across four main areas. Each one has practical implications for the systems, controls, and reporting that a compliant entity needs in place.

Information security capability commensurate with vulnerabilities and threats. The board must ensure the entity maintains an information security capability that's appropriate to the size, business mix, and threat profile of the entity. A small specialist insurer does not need the same controls as a major bank, but both need controls proportionate to their actual exposure. The capability includes people, processes, technology, and budget.

Information security policy framework. Entities must maintain an information security policy framework that defines roles, responsibilities, and decision rights for information security across the organisation. The framework must be approved at board level, reviewed regularly, and integrate with the entity's broader risk management framework.

Identification of information security vulnerabilities and threats. Entities must have processes to identify their information assets (data, systems, infrastructure), classify them by criticality and sensitivity, and identify vulnerabilities and threats to those assets. This must be a living process, not a one-time assessment. Penetration testing, vulnerability scanning, threat intelligence, and incident response capability all fall under this requirement.

Notification to APRA. Entities must notify APRA within 72 hours of becoming aware of a material information security incident, and within 10 business days of identifying a material information security control weakness that cannot be remediated in a timely manner. The 72-hour clock starts when the entity becomes aware of the incident, not when remediation begins.

How does the tripartite review framework work?

In mid-2023, APRA introduced a tripartite review framework that significantly raised the bar on CPS 234 compliance evidence. The framework requires regulated entities to engage an independent third party to conduct a structured assessment of the entity's CPS 234 controls. The assessment is reviewed by APRA, and findings inform APRA's supervisory engagement with the entity.

The tripartite naming reflects three parties: the regulated entity, the independent third-party assessor, and APRA. The assessor's role is to verify that the controls described in the entity's CPS 234 documentation actually exist and operate as designed. The assessor produces a report with findings, ratings, and recommended remediation. The entity is then expected to address findings on a timeline agreed with APRA.

The introduction of tripartite review changed the practical compliance posture for many entities. Before mid-2023, an entity could maintain CPS 234 documentation that described intended controls without rigorous evidence that the controls were operating effectively. After tripartite review, the assessor's job is precisely to verify operating effectiveness, which forces a much higher quality of control documentation and ongoing evidence collection. The shift parallels what happened in the United States when SOC 2 examinations matured from design assessments to operating effectiveness reviews.

What does CPS 234 mean for small insurance brokers?

For a small Sydney insurance brokerage with 10 to 50 staff, CPS 234 typically arrives through one or both of two paths. The brokerage's licensee (the AFSL holder under whom the brokers operate, if not their own licence) imposes CPS 234-aligned controls as a condition of authorisation. Or the major insurers the brokerage places business with require evidence of CPS 234-aligned controls through annual security questionnaires.

The practical baseline for a small insurance broker pursuing inherited CPS 234 compliance typically includes the Essential Eight at Maturity Level 1 across all staff devices and key applications, multi-factor authentication on every account that touches customer or insurer data, encrypted backups with verified restore testing, documented incident response and breach notification procedures, third-party risk assessments for major software vendors (the underlying broking platform, the email system, the document management system), and an information security policy approved at director level. None of this is novel. All of it is achievable for a small brokerage with reasonable IT investment and a managed services partner that understands the regulatory context.

The mistake we see most often: small brokerages treat CPS 234 as something the insurers' compliance team will check off, and don't realise that the obligation flows through to the broker via the agency agreement. The first time it becomes a problem is usually when a major insurer issues a tightened security questionnaire as part of an annual review, and the brokerage scrambles to answer questions they haven't engineered the controls to support.

What's the difference between CPS 234 and Essential Eight?

The Essential Eight is a control framework. CPS 234 is a regulatory obligation. They operate at different levels and serve different purposes, but they're complementary in practice.

The Essential Eight, published by the Australian Cyber Security Centre (ACSC), describes eight specific controls (application control, patch applications, configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, regular backups) and four maturity levels for each control. It's a "what to do" framework with concrete implementation guidance.

CPS 234 is a "what to achieve" framework. It defines the outcomes an entity must achieve (capability commensurate with threats, documented policy, vulnerability identification, incident notification) without prescribing how to achieve them. The Essential Eight is one of the most practical ways for an Australian entity to operationalise the technical control aspects of CPS 234, particularly the "information security capability" requirement.

Most APRA-regulated entities use the Essential Eight or a similar framework (NIST CSF, ISO 27001) as the operational layer underneath their CPS 234 compliance program. The framework provides the controls; CPS 234 provides the regulatory accountability that the controls actually work.

Frequently asked questions

Is CPS 234 mandatory for insurance brokers?

Not directly, unless the brokerage itself is APRA-regulated (rare). It typically applies indirectly through licensee requirements or insurer counterparty expectations. In practice, any insurance broker placing business with major Australian insurers will end up implementing CPS 234-aligned controls because the insurers require it through their third-party risk processes.

What's the maximum penalty for CPS 234 non-compliance?

APRA's enforcement powers under the Banking Act and Insurance Act include directions, infringement notices, and ultimately licence conditions or revocation. APRA prefers supervisory engagement over enforcement action and typically works with entities on remediation timelines before escalating. The reputational and counterparty consequences of a public CPS 234 failure usually exceed the formal regulatory penalty in commercial impact.

How often does CPS 234 documentation need to be reviewed?

The standard requires regular review of the information security policy framework, with most entities adopting an annual review cycle as a minimum. Major changes to the business, the threat environment, or the technology stack should trigger an out-of-cycle review. The tripartite review process operates on a separate schedule agreed with APRA, typically on a multi-year cycle.

Can we outsource CPS 234 compliance to our IT provider?

You can outsource the operational controls (security tooling, monitoring, incident response capability), but you cannot outsource the accountability. The board of the regulated entity remains responsible for compliance regardless of which third parties run the underlying technology. The board needs visibility into what's outsourced, evidence that the outsourced controls are operating, and a documented process for managing the third-party risk.

What counts as a "material" information security incident requiring APRA notification?

APRA's guidance defines material incidents as those that have, or could have, a material impact on the entity's information assets, customers, financial position, or ability to operate. In practice, any incident involving customer data exposure, service disruption beyond a brief window, or successful intrusion into core systems should be assessed for materiality. When in doubt, notify. APRA prefers over-notification to under-notification.

Does CPS 234 apply to cloud services used by an APRA-regulated entity?

Yes, through the third-party risk requirements. The regulated entity remains responsible for the security of its information assets regardless of where they're hosted. This means the entity must assess the cloud provider's security controls, document the assessment, and maintain ongoing visibility into the provider's security posture. Major cloud providers publish CPS 234 alignment documentation that supports this assessment, but the regulated entity must do its own work to verify and document the alignment.

4iT supports several Sydney insurance brokers with CPS 234-aligned controls and third-party risk evidence. If your brokerage is preparing for an insurer security questionnaire or facing tightening from your licensee, that's the right time to have a structured walkthrough of what's in place and what's missing.