Lavan is proud to be shortlisted for the Chambers Asia-Pacific and Greater China Region Honours 2026 'Pro Bono Outstanding Firm' Award. Learn more
Get in touch
Lavan Homepage

The Australian Prudential Regulation Authority (APRA) as established as an independent statutory authority that supervises institutions across banking, insurance and superannuation, and is accountable to the Australian Parliament.

APRA regulation of cyber security

In 2019 APRA released Prudential Standard CPS 234 Information Security (Prudential Standard).

The Prudential Standard governs cyber security and covers a range of topics including:

  • the role and responsibilities of Boards;
  • information security capability and policy frameworks;
  • information assets and controls;
  • incident management;
  • testing and internal audit; and
  • notifying APRA of data breaches and information security incidents.

The Prudential Standard explains that Boards of APRA regulated entities must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets and which enables the continued sound operation of the entity.

A guide to the CPS 234 can be found HERE.

Cyber security study

In July 2023, APRA released the first results arising from a study which reviewed 300 banks, insurers, and superannuation trustees’ compliance with the Prudential Standard, through an independent tripartite cyber assessment. Each of the APRA regulated entities were required to appoint an independent auditor to assess their compliance with the Prudential Standard.

Key findings

The results identified a number of areas for improvement, with APRA commenting that there were several concerning gaps across the industry. Common gaps found included:

Control testing programs

APRA regulated entities must test the effectiveness of their information security controls through a systematic testing program. APRA explained that entities must adopt a variety of testing approaches; define clear success criteria; and conduct testing by appropriately skilled and functionally independent specialists who do not have operational responsibility for the controls being validated.

Incident response plans

APRA regulated entities must also maintain plans to respond to information security incidents that the entity considers could plausibly occur. To address gaps, entities must ensure their incident response plans (including those operated by third parties) are tested at least annually to ensure they remain fit-for-purpose.

Identification and classification of information assets

APRA explained that companies need to implement comprehensive asset classification policies which define what data is critical and sensitive. Further, companies should review and update asset registers regularly.

Internal audit reviews of information security controls

An APRA regulated entity’s internal audit activities must include a review of the effectiveness of information security controls, including those maintained by third parties.

Gaps identified included limited review of third party-operated information and internal auditors performing control testing lacking the necessary information security skills.

Notification of material incidents and control weaknesses

APRA must be notified of material incidents and control weaknesses in every entity’s cyber security system. The assessment found that the reporting process to APRA is often inconsistent, unclear and, in some cases, not in place at all.

Information security controls of third parties

Companies need to understand which information assets are managed by third parties and understand the controls that the third parties have in place.

Third party control effectiveness can be tested through a combination of interviews, surveys, control testing, certifications, contractual reviews, attestations, referrals, and independent assurance assessments.

Lavan comment

APRA has encouraged entities to review their cyber security strategy and incorporate relevant plans to address shortfalls in their cyber security controls and governance policies.

If you or your business would like further advice or assistance on how you can minimise any risk with respect to the cyber security of your business or need assistance complying with the Prudential Standard, please reach out to Iain Freeman or Kristy Yeoh.


Disclaimer

The information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.

Authors
Iain Freeman
Partner
Kristy Yeoh
Special Counsel

Related Publications

10 Mar 2026 Cyber, Privacy & Data Protection

The cost of failure to discharge privacy and cyber governance is real

Iain Freeman
Iain Freeman Partner
The cost of failure to discharge privacy and cyber governance is real
4 Dec 2025 Cyber, Privacy & Data Protection

Australia’s cyber security strategy 2023 to 2030 – progress to date and the shift to Horizon 2

Iain Freeman
Iain Freeman Partner
Australia’s cyber security strategy 2023 to 2030 – progress to date and the shift to Horizon 2
21 Oct 2025 Cyber, Privacy & Data Protection

Australian Information Commissioner v Australian Clinical Labs (No 2) [2025] FCA 1224 – First civil penalty ordered in the history of the Privacy Act 1988 (Cth)

Iain Freeman
Iain Freeman Partner
Australian Information Commissioner v Australian Clinical Labs (No 2) [2025] FCA 1224 – First civil penalty ordered in the history of the Privacy Act 1988 (Cth)

Stay up to date with Lavan

Subscribe to Publications or News

"*" indicates required fields

Publications of Interest*
Select publications of interest
Fields marked with * are required.
Back to top