CPS 234 applies to all APRA-regulated entities including:
- Authorised deposit-taking institutions (ADIs). This includes foreign ADIs, credit unions, banks, and non-operating holding companies authorised under the Banking Act.
- General insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act, and parent entities of Level 2 insurance groups.
- Life companies, including friendly societies, eligible foreign life insurance companies and non-operating holding companies registered under the Life Insurance Act.
- Private health insurers registered under the PHIPS Act.
- General insurers.
- RSE licensees under the SIS Act in respect to their business operations.
- Superannuation funds.
Please note if you are one of the above entities and utilise third-party services, CPS 234 will also apply to those information systems and assets i.e. Cloud Service provider like AWS or Azure, Private hosting services Provider (SaaS, PaaS, IaaS)
The key requirements are:
- Information Security Policy, Procedures, and Manuals
- Information Security controls, and testing effectiveness of controls
- Internal and External audits
- Security and Data Breach Incident management
- APRA notification.