Compliance · APRA CPS 234
APRA CPS 234 training, phishing simulation and evidence, for Australian regulated entities.
Vigil covers the personnel and capability expectations of CPS 234, phishing simulation, role-based training for finance, claims and admin functions, and the time-stamped evidence pack your APRA assessor (and your FAR accountable person) need to see.
What is APRA CPS 234?
CPS 234 is APRA's Information Security prudential standard. It requires regulated entities to maintain an information security capability commensurate with the size and extent of threats to their information assets, and to enable the continued sound operation of the entity. It came into effect 1 July 2019 and now sits alongside CPS 230 (Operational Risk Management) and the Financial Accountability Regime (FAR).
APRA's emphasis since 2024 has shifted toward proving the security capability is operating, not just documented. That's where awareness training, phishing simulation and continuous evidence become essential.
How Vigil maps to CPS 234
| CPS 234 expectation | What it asks for | How Vigil covers it |
|---|---|---|
| Para 21, capability | Information-security capability commensurate with threats. | AI-era phishing, vishing and deepfake simulation tuned to current threats. |
| Para 22, roles & responsibilities | Clear personnel responsibilities. | Role-based training tracks (finance, claims, admin, executive). |
| Para 25 26, controls | Controls commensurate with criticality and sensitivity. | Targeted training assigned automatically based on failure type. |
| Para 28, testing | Systematic testing of controls. | Quarterly phishing campaigns + multi-channel coordinated tests. |
| Para 35. APRA notification | Notify APRA of material incidents within 72 hours. | Incident timeline and reportable-event log built from live data. |
| FAR alignment | Personal accountability for cyber-resilience outcomes. | Accountable-person attestations + board-level dashboard. |
CPS 234 + CPS 230, what changed in 2025
CPS 230 (operational risk) came into force on 1 July 2025 and reinforced CPS 234's expectations around third-party risk, accountable persons under FAR, and the need to demonstrate operating effectiveness, not just policy. Vigil's evidence pack includes the third-party / service-provider awareness coverage CPS 230 references, and the accountable-person attestation flow FAR requires.
CPS 234 + Vigil, common questions
Is CPS 234 mandatory for my organisation?
CPS 234 applies to all APRA-regulated entities, banks, insurers, superannuation trustees, RSE licensees and their subsidiaries. If you hold an APRA licence, CPS 234 applies. The standard came into force 1 July 2019 and was updated in 2025 alongside CPS 230 (operational risk).
Does CPS 234 require security awareness training?
CPS 234 paragraph 21 requires regulated entities to maintain information security capability 'commensurate with the size and extent of threats'. APRA's information papers consistently identify human-error and phishing as primary threat vectors, so awareness training, phishing simulation and role-based education are expected components of CPS 234 capability.
How does Vigil's evidence pack help with CPS 234?
Vigil produces a date-stamped, per-employee training register, phishing campaign results segmented by role, and a continuous-control timeline that proves the program is running, not just designed. APRA's tri-annual self-assessment requires evidence the controls are operating effectively; Vigil's pack maps directly to that ask.
What about CPS 230 (operational risk), does it change anything?
CPS 230 (effective 1 July 2025) adds personal accountability under the Financial Accountability Regime (FAR) and explicit third-party / service-provider expectations. Vigil's evidence pack includes accountable-person attestations and supports the supply-chain awareness training CPS 230 references.
Can I share Vigil evidence with my APRA assessor?
Yes. The Vigil auditor portal provides read-only, time-boxed access so an APRA-aligned assessor can self-serve the underlying simulation, training and remediation records without your team exporting CSVs.
Does Vigil cover the more onerous CPS 234 categories (Tier 1 / Tier 2)?
Yes. Vigil's role-based training and BEC / payment-fraud simulations align with the more intensive expectations APRA places on systemically important institutions. The dashboard's continuous risk-score timeline satisfies the ongoing-monitoring language in CPS 234 paragraph 28.
Walk into your APRA review with the evidence already done.
30-day free trial. No credit card. CPS 234-ready evidence pack on day 1.