If you're APRA-regulated — bank, credit union, insurer, superannuation fund, registered financial intermediary — and you use cloud storage for sensitive data, you need to understand CPS 234. It's the prudential standard that sets information security expectations for APRA-regulated entities.

What CPS 234 requires

CPS 234 has been in force since July 2019. It requires regulated entities to:

Clearly define information security roles and responsibilities
Maintain an information security capability commensurate with the threats faced
Implement controls to protect information assets
Have incident management and breach response procedures
Test information security controls regularly
Notify APRA of material information security incidents within 72 hours

The third-party problem

Section 15 of CPS 234 is the one that catches firms out. It says that when information assets are managed by a "related party or third party" (your cloud provider), you remain responsible for ensuring the controls are adequate.

In practice, this means you can't outsource compliance to your cloud provider. You need to verify, on an ongoing basis, that their controls meet the standard. Getting a SOC 2 Type II report once at onboarding is not sufficient.

What this means for your cloud provider selection

When picking a cloud provider for APRA-regulated workloads, you need to consider:

Contractual rights. Can you audit them? Can you require specific controls? Can you terminate quickly if they fail a control test?
Regular assurance. Do they provide SOC 2 Type II, ISO 27001, or equivalent reports annually?
Incident notification. Will they notify you of security incidents within a timeframe that lets you meet APRA's 72-hour requirement?
Data residency. Where is the data? Australian residency is strongly preferred — it simplifies Privacy Act compliance and eliminates cross-border disclosure issues.
Exit plan. What happens if you need to leave? Can you get your data back in a usable format?

The documentation expectation

APRA expects you to document all of this. Your third-party risk management framework should include explicit reference to each cloud provider, the controls they provide, the residual risks you're accepting, and the board's approval of those risks. If APRA comes asking (and they do), you need to produce this file quickly.

Practical advice

For most mid-sized APRA entities, the practical path is: pick a small number of cloud providers, get comprehensive documentation from each, build a standard template for your third-party risk assessment, and refresh it annually. Don't accumulate dozens of overlapping cloud services — each one is another thing you have to assess and defend.

This is general information about CPS 234. For specific compliance guidance, speak to your risk or compliance function, or refer to APRA's published guidance.