Comply with APRA CPS 234 (Information Security)
APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
Who must comply
All APRA-regulated entities.
What triggers it
Being APRA-regulated.
When due
Continuous; APRA notification within 72 hours of a material incident.
Evidence required
Information security policy, control testing, internal audit reports, incident notifications.
Max penalty
APRA enforcement actions including additional capital, licence conditions, directions
Summary
CPS 234 requires APRA-regulated entities (ADIs, insurers, RSE licensees) to clearly define information security-related roles, maintain capability, implement controls commensurate with vulnerabilities and threats, and notify APRA within 72 hours of a material information security incident.
Enforced by
Source legislation
Industries
Topics
Source: https://apra.gov.au/information-security. Rules Mate is not a law firm. Always verify against the live regulator source before acting.