The Final Deadline for CPS 234 Tripartite Assessments

Sheena Shrivastava
February 16, 2024


The Australian Prudential Regulation Authority (APRA) has announced the final deadline for all remaining regulated entities to submit their CPS 234 tripartite assessments and has outlined core enforcement and supervision priorities for the year ahead. This crucial step underscores APRA's commitment to cybersecurity as a fundamental pillar of financial stability. However, while the deadline looms, understanding the context, implications and potential consequences of the requirement is essential.


Implemented in 2019, CPS 234 stands for Prudential Standard CPS 234: Information Security. It mandates specific cybersecurity obligations for APRA-regulated entities like banks, insurers, and superannuation trustees and aims to safeguard sensitive financial data, protect customer information, and ensure operational resilience against cyber threats.


The CPS 234 Tripartite Review is a mandatory audit commissioned by APRA. Conducted by a registered public audit firm, it assesses the effectiveness of an APRA-regulated entity's information security controls against the requirements outlined in Prudential Standard CPS 234: Information Security. The review plays a crucial role in strengthening the cybersecurity posture of the financial sector and mitigating cyber risks and also serves as a preliminary indicator of an entity’s overall cybersecurity maturity and preparedness.

Key Features of the Tripartite Review:

  • Independent Evaluation - the review is conducted by a registered public audit firm, ensuring objectivity and thoroughness.
  • Focus on CPS 234 - the review assesses compliance with 21 control objectives derived from the standard, providing a comprehensive evaluation.
  • Tripartite Engagement - the review involves participation from APRA, the regulated entity, and the independent auditor, fostering transparent communication and collaboration.

The Tripartite Review serves as a valuable exercise for regulated entities to identify areas for improvement in their cybersecurity practices and demonstrate their commitment to information security best practices.


The Australian Prudential Regulation Authority (APRA) recognises the significant impact of cyber threats on the financial landscape and prioritises cybersecurity through a range of initiatives, including the CPS 234 Tripartite Review. This commitment stems from several key considerations:

  • Attractive Targets for Threat Actors - financial institutions represent high-value targets for threat actors seeking substantial financial rewards and valuable personal information on the dark web.
  • Escalating Cybercrime Reports - the Australian Cyber Security Centre (ACSC) observed a 13% surge in cybercrime reports during the 2020-21 financial year, underlining escalating cybersecurity challenges.
  • Risks in Third-Party Relationships - with financial institutions relying more on third-party support come inherent risks; breaches often result from excessive privileged access granted to third parties.
  • Board Involvement - APRA's pilot of CPS 234 revealed concerns, emphasising the need for boards to actively review cyber resilience information, ensure recovery from high-impact attacks, and verify the effectiveness of information security controls across the supply chain.


The Australian Prudential Regulation Authority (APRA) has set the final deadline of June 30th 2024 for regulated entities to submit CPS 234 tripartite assessments. The submission window spans the next six months, following the completion of the information security assessment program’s initial pilot phase.

Key takeaways for the Pilot Phase

  • The first tranche of tripartite assessments revealed control gaps in areas such as:
    • Incomplete identification of critical information assets
    • Inadequate testing of incident response plans
    • Weakness in third-party risk management
  • APRA emphasises that entities with significant vulnerabilities post-assessment may face intensified supervision, root cause analysis requests, remediation plans, and potential enforcement actions.

Looking Ahead: The Regulatory Landscape for Operational Resilience

With prudential Standard CPS 230 – Operational Risk Management set to take effect from July 1, 2025, APRA urges entities to proactively ensure compliance. The regulator plans to engage with entities on operational resilience throughout 2024, providing updated guidance, meetings, webinars, and information roundtables. Ultimately, APRA is committed to ensuring regulated entities operate with:

  • Robust control frameworks
  • Effective business continuity plans
  • Secure arrangements with service providers.


Navigating the intricacies of CPS 234 and successfully completing the tripartite assessment can be daunting. InfoTrust boasts a team of cybersecurity experts with a deep understanding of the standard and its assessment requirements. They can guide you through:

  • Gap analysis - identifying areas where your cybersecurity posture needs improvement.
    • Identify and map your information assets
    • Evaluate your current security controls
    • Perform vulnerability assessments and penetration testing
  • Remediation Planning - developing a clear roadmap to address identified gaps and enhance your security posture.
    • Prioritise identified gaps
    • Develop clear and actionable steps
    • Allocate necessary resources
  • Assessment Preparation - ensuring your organisation is fully prepared for the tripartite assessment.
    • Put your remediation plan into action
    • Establish ongoing monitoring processes
    • Conduct regular internal audits
  • Foster a culture of cybersecurity – Educate employees about cybersecurity risks and their role in protecting organisational data
    • Raise awareness
    • Implement Security training
    • Promote a culture of shared responsibility

Don't wait until the deadline approaches. Reach out to InfoTrust today and confidently navigate your path to CPS 234 compliance.