CPS 234 vs Cyber Security Act 2024: What Australian Finance Firms Need to Know

Cybersecurity regulations in Australia are becoming more complex, and for financial services firms, meeting compliance is no longer a box-ticking exercise. It is a business-critical responsibility. Two major frameworks now define the regulatory landscape: APRA’s CPS 234 and the Cyber Security Act 2024.

Both are designed to strengthen cyber resilience, but they serve different regulatory functions. CPS 234 focuses on internal information security within APRA-regulated entities, while the Cyber Security Act introduces national-level obligations tied to critical infrastructure, cyber incident reporting, and systemic risk mitigation. For finance firms, this means navigating two layers of compliance, each with unique expectations, enforcement bodies, and technical requirements.

Complying with both frameworks requires more than ad hoc controls. Businesses need a clearly defined cybersecurity framework that can be operationalised, reviewed, and continuously improved. This involves investment in tools, staff training, incident response planning, and third-party oversight.

In this blog, we break down what each regulation covers, how they compare, where they overlap, and what your organisation must do to remain compliant.

‍

What is CPS 234?

CPS 234, developed by the Australian Prudential Regulation Authority (APRA), came into effect in July 2019. It sets out mandatory information security requirements for all APRA-regulated entities, including banks, insurers, and superannuation funds.

The objective is clear: to ensure entities can withstand and recover from cyber threats. The standard requires organisations to:

• Maintain information security capabilities that are proportionate to threats and vulnerabilities.
• Classify and protect information assets, including those managed by third parties.
• Ensure incident response plans are tested and capable of detecting and responding to security incidents quickly.
• Notify APRA of any material information security incidents within 72 hours.

Failure to comply can trigger regulatory action, including enforceable undertakings or civil penalties.

‍

What is the Cyber Security Act 2024?

The Cyber Security Act 2024, introduced by the Department of Home Affairs with Australian Signals Directorate, reflects the federal government’s intent to enforce whole-of-economy cybersecurity uplift, with special emphasis on critical infrastructure.

Key features of the Act include:

• Mandatory ransomware incident reporting within 72 hours.
• Introduction of ‘systems of national significance’ (SoNS) obligations for high-impact organisations.
• Minimum cyber baseline standards to be adopted by designated industries.
• Expanded regulatory powers for the Australian Signals Directorate (ASD) and Home Affairs to issue directions in response to significant cyber incidents.

The finance sector, though already heavily regulated under APRA, is included in the Cyber Security Act’s Critical Infrastructure Asset classes, especially for entities that fall under the Security of Critical Infrastructure (SOCI) Act.

‍

‍

Where CPS 234 and the Cyber Security Act Overlap

For Australian finance firms, CPS 234 and the Cyber Security Act 2024 share several regulatory priorities. Aligning with one helps support compliance with the other—but neither is fully comprehensive alone. Here's where they intersect and why it matters.

1. Incident Reporting

CPS 234 requires finance firms to report material cybersecurity incidents to APRA within 72 hours. The Cyber Security Act 2024 introduces a parallel requirement: ransomware payments and cyber extortion threats must be reported to the Department of Home Affairs within the same timeframe. While the triggers are different, both regulations demand fast, accurate incident detection and escalation processes.

Explore More on Why Ransomware Reporting is Critical for Finance Firms in Australia

2. Third-Party Risk Management

Both frameworks expect finance firms to take full accountability for third-party risks. CPS 234 requires due diligence over vendors who handle sensitive systems or data. The Cyber Security Act goes further by expecting visibility across the digital supply chain, particularly for firms linked to national infrastructure. Whether it’s a cloud provider or software partner, every link in the chain must be assessed and secured.

3. Cyber Resilience Planning

CPS 234 mandates ongoing testing, monitoring, and security control implementation. The Cyber Security Act raises the bar with sector-specific resilience programs and national coordination exercises for critical entities. Finance firms can no longer rely on passive compliance—they must demonstrate practical readiness and participate in broader defence efforts.

Here is a guide on Everything You Need to Know About Australia's New Cybersecurity Bill 2024

Together, these areas represent critical crossover points. Meeting the baseline of CPS 234 builds strong foundations, but finance firms must also adapt to the broader, nationally enforced obligations introduced under the Cyber Security Act.

‍

‍

What Should Finance Firms Do Now?

1. Map Internal Controls to Both Frameworks

Begin by conducting a comprehensive assessment of your current information security program and mapping it against the specific requirements of CPS 234 and the Cyber Security Act. This process should identify where your existing controls overlap with each framework and where gaps remain.

A critical first step is to develop a crosswalk matrix that aligns each internal control to both sets of obligations, helping you streamline compliance and reduce redundancy.

2. Establish Dual Incident Response Protocols

Incident response obligations differ between APRA and the Department of Home Affairs, particularly in terms of who must be notified, what must be reported, and within what timeframe. Your existing playbooks should be updated to reflect these dual reporting pathways and tested to ensure operational readiness.

Make sure your incident response procedures include clear 72-hour ransomware reporting workflows, which are mandatory under the Cyber Security Act for certain events.

3. Review Critical Asset Classification

Understanding your organisation’s status under the SOCI Act is essential. If any of your systems are classified as Systems of National Significance (SoNS), you may face enhanced obligations such as mandatory assessments or government-led response directives.

Engage legal and compliance advisors to determine if your systems qualify as SoNS and prepare a documented critical asset register as a foundation for further obligations.

4. Engage a Specialist IT Security Provider

Reaching compliance may require technical expertise, continuous monitoring, and resource capacity that many internal teams cannot sustain alone. Partnering with a specialist security provider ensures access to 24/7 threat detection, compliance-aligned security controls, and guidance tailored to your industry, helping you close gaps and stay ahead of regulatory requirements.

‍

Need Help Navigating Compliance?

At Superior IT, we help Australian financial services firms assess, implement, and manage security programs that meet the requirements of policies like the Cyber Security Act 2024. From mapping internal controls and reviewing critical asset classifications, to setting up dual incident response protocols and partnering as your trusted SSP, we provide end-to-end support to simplify compliance and strengthen your cyber defences.

Call Us: 1300 93 77 49

Email: info@superiorit.com.au

Explore DefenderSuite: https://www.superiorit.com.au/defendersuite-au