Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234


What is APRA Prudential Standard CPS 234?

With the financial sector under ever-increasing cyber-attack, the Australian Prudential Regulation Authority (APRA) has released the Prudential Standard CPS 234 in response. This ensures that APRA-regulated entities have established sufficient protections to guarantee information security.

Regulated entities – which include banks, neobanks, credit unions, insurers, superannuation funds, private health insurance companies, and non-operating holding companies – must now demonstrate compliance with the standard rather than just following the guidance. The responsibility for this lies with the board of an APRA-regulated entity.

Organizations must demonstrate the maintenance of an information security capability that aligns with the vulnerabilities and threats to which their information assets are exposed and enables the continued operation of the entities. APRA CPS 234 strongly focuses on identifying and managing information assets – i.e. corporate data.

The cost of non-compliance


The cost of non-compliance with APRA CPS 234 is measured in terms of reputation loss and damage to the brand – no organization wants to be known for not taking appropriate care of private and personal information. Additionally, the regular data protection audits recommended in the regulation make it more likely that incidences of non-compliance will get noticed. Classifying data as a first step in addressing CPS 234 will enable the protection strategy and solutions you implement to be built around the types of data you have, and the levels of security they require.

The First Steps When Securing Your Sensitive Data


The first step in using a data classification approach to ensure compliance is understanding all the personal or sensitive data you hold and the potential risks to its security.

You should to ask:

  • What data do you already hold?
  • What data is being collected, and from where?
  • Where is it being stored and processed?
  • Why do you have it?
  • How sensitive is it?   
  • How is it accessed, used or shared, internally or externally?

The data should then be classified or tagged according to its sensitivity. Once you have singled out the most confidential information, you can determine what higher-grade controls should be applied to ensure it is sufficiently protected.

How Fortra's Data Classification Suite can help?

DCS works in concert with your existing cybersecurity infrastructure to help you achieve end-to-end compliance with privacy regulations. The open, configurable policy engine enables your organisation to enforce detailed information handling policies, tailored specifically to your business using award-winning machine learning algorithms.


Sensitive information must be identified wherever it sits and however it is created. DCS solutions automatically enforce identification across platforms and devices via easily adoptable workflows to ensure protection of all your information.

Classify And Categorise All Data

The powerful DCS policy engine ensures that data is classified correctly according to your information security policy. Multiple layers of classification allow for highly granular control. Deep learning AI technology can be deployed to assess your information, recognise sensitive data and autonomously determine appropriate categories.


DCS integrates with the other technologies in your security ecosystem, such as messaging, DLP and electronic data rights management (EDRM) solutions to enforce your information security policies using open, persistent metadata embedded in documents at creation or upon discovery. Business leaders can give employees more freedom to innovate and have peace of mind knowing that sensitive information is safe.


Fortra's Classifier Suite, the market leading data classification product, supports compliance with the APRA Prudential Standard CPS 234 including this amendment by:

Security warning badge

Ensuring appropriate control of confidential or sensitive information

Security warning badge

Classifying or labelling data with visual (and metadata) labels to highlight any special handling requirements

Security warning badge

Alerting users when personal data is leaving the organisation to warn or prevent them from sending messages that contain sensitive information

Security warning badge

Educating users about the sensitivity of data whilst ensuring adherence to corporate policy

Security warning badge

Providing critical audit information on classification events to enable remediation activity and demonstrate compliance position to regulatory authorities

Security warning badge

Enabling rapid search and data retrieval based on classification labels to support subject access requests

Security warning badge

Utilising metadata labels to drive additional security controls and solutions, such as DLP, encryption and rights management

Security warning badge

Orchestrating data management solutions, such as data retention and archiving, to ensure adherence to data storage requirements

Australian APRA Prudential Standard CPS 234 

Learn more about how DCS can help with APRA by downloading our free fact sheet


APRA CPS 234 Compliance Support

Learn more about APRA CPS 324 Compliance Support with out free fact sheet