Skip to main content

Data Governance Framework Incorporating APRA CPS 234 Information Security

The use of data and data analytics are key competitive levers for organisations operating in an increasingly digital market place. As the collection and use of data increases exponentially, so do the risks of data misuse and privacy breaches. Subsequently, governments and regulatory bodies are playing an increasingly important role in regulating and controlling the use of data via standards and guides.

As the bulk of data related regulations and guides are relatively new, it is possible many organisations are not fully compliant. APRA’s CPS 234 Information Security is a perfect example.

CPS 234 is a prudential standard that commences on 1 July 2019 (for organisations that manage their data inhouse). The objective of CPS 234 is to ensure resilience against information security incidents by maintaining an information security capability that is in line with information security vulnerabilities and threats. As an APRA standard, CPS 234 will be enforceable.

In summary, to comply with CPS 234, APRA regulated entities must:

  • Clearly define the information-security related roles and responsibilities of the Board, and of senior management, governing bodies and individuals;
  • Maintain information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
  • Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls; and
  • Notify APRA of material information security incidents.

While governments and regulatory bodies, such as APRA, determine data governance regulations, organisations should surpass the base obligations and look to implement governance structures and processes as a part of a comprehensive digital transformation, leading to a discernible competitive advantage.

As an example, algorithmic accountability is a significant issue as organisations incorporate AI into business processes to gain greater customer intimacy, faster processing and better operational practices, such as underwriting and pricing for insurers. The regulators will always be playing catch up and it is the responsibility of organisations to self-regulate as a responsible risk mitigating business practice.

There is now the inevitable rush to comply with CPS 234, with the general objective being to avoid the consequences of noncompliance from APRA. While the primary objective is to comply by the 1 July 2019, Frazer Walker assist our clients to incorporate the requirements of CPS 234 into a broader data governance framework.

For Authorised Deposit-taking Institutions (ADIs), in addition to CPS 234, the following regulations and guides should be considered as a part of a corporate wide data governance framework. Included in this list are Australian and international regulations as well as guides that are not enforceable but should be considered as inputs to a comprehensive framework:

  • OAIC – Australian Privacy Principles
  • OAIC – Notifiable Data Breaches Scheme
  • OAIC – Guide to securing personal information
  • APRA – Banking Executive Accountability Regime
  • ACCC – Consumer Data Right (Open Banking)
  • ASIC – Cyber resilience: Health check (Report 429)
  • EU, General Data Protection Regulation (GDPR)
  • BCBS 239, Principles for effective risk data aggregation and risk reporting
  • PCI DSS Credit card transaction data protection.


Adam Brougham is a Principal Consultant in Frazer Walker’s Information Technology Practice.

To learn more, Adam can be contacted on Phone: +61 405 646 185 or