§26 · Lane 7 — Australian Regulatory Primary Instruments
APRA CPS 234 / CPG 234 — Information Security
APRA (2018, in force 2019) · CPS 234 / CPG 234
Bibliographic data
- Title
- APRA Prudential Standard CPS 234 (in force from 1 July 2019) — Information Security; and Prudential Practice Guide CPG 234
- Authors / Issuing body
- Australian Prudential Regulation Authority (APRA)
- Venue / Publisher
- Australian Prudential Regulation Authority; legal instrument registered on Federal Register of Legislation as F2018L01745 (Banking, Insurance, Life Insurance, Health Insurance and Superannuation (prudential standard) determination No. 1 of 2018)
- Year
- 2018
- Designation
- Regulatory
- Licence
- Stable URL — refer to publisher for full licence terms.
- Canonical link
- https://www.apra.gov.au/information-security
How to cite
APRA (2018, in force 2019). APRA Prudential Standard CPS 234 (in force from 1 July 2019) — Information Security; and Prudential Practice Guide CPG 234. Australian Prudential Regulation Authority; legal instrument registered on Federal Register of Legislation as F2018L01745 (Banking, Insurance, Life Insurance, Health Insurance and Superannuation (prudential standard) determination No. 1 of 2018). https://www.apra.gov.au/information-security.
The information-security companion to CPS 230 (§25). Requires APRA-regulated entities to maintain information-security capability commensurate with information-security vulnerabilities and threats, manage third-party information-security risks, and notify APRA of material incidents and control weaknesses.
Why it matters for NETEVO
Information-security limb of the AU prudential AI surface. Prudential Standard CPS 234 (in force from 1 July 2019), together with its non-binding interpretation companion Prudential Practice Guide CPG 234, is the APRA regime against which AI controls deployed inside regulated entities must integrate. NETEVO carries it as the information-security counterpart to CPS 230 — the prudential half of the AI control stack where information confidentiality, integrity and availability are at stake.
Where CPS 230 frames operational resilience broadly, CPS 234 specifies the information-security limb in detail. AI systems are information-security assets, and the controls applied to them flow up into the CPS 234 obligation cascade. The standard is the Australian articulation of the framing that AI sits inside the information-security perimeter — load-bearing whenever NETEVO work touches an APRA-regulated client and any AI system processes, stores or routes sensitive information.
Direct pairing with ISO/IEC 23894. The international AI risk management standard carries an Annex A objective taxonomy whose security-and-resilience and information-security-and-privacy categories specify the engineering side of what CPS 234 mandates prudentially. NETEVO's Law-to-Code Methodology treats the two as a single normative pair — international standard plus AU prudential obligation — and produces engineered controls that satisfy both from one architecture rather than two parallel stacks.
Notification regime as regulator-facing telemetry. CPS 234's obligation to notify APRA of material information-security incidents and material control weaknesses is the regulator-facing limb of the same telemetry that CPS 230 demands for operational resilience. NETEVO's engineered-evidence architecture serves both notification regimes from a single observability layer, keeping the prudential audit trail consistent across operational-risk and information-security domains.
Where NETEVO applies this
- AI Governance in ANZ Whitepaper — information-security section