APRA CPS 234: What It Means for Email Security at APRA-Regulated Entities

APRA Prudential Standard CPS 234 Information Security became effective for APRA-regulated entities on 1 July 2019, with triennial penetration testing requirements phased in subsequently. CPS 234 applies to all APRA-regulated entities: authorised deposit-taking institutions (banks, credit unions, building societies), general insurers, life insurers, private health insurers, and superannuation funds regulated by APRA. It imposes specific, enforceable obligations on boards, management, and service providers — including email hosting providers — around information security capability, control frameworks, testing, and incident notification.

Board and Management Accountability

CPS 234 places explicit accountability at board level, which is unusual in Australian prudential regulation. The board must maintain active oversight of information security, which means receiving regular reporting on security posture, approving the information security policy, and satisfying itself that the organisation has the capability to defend against evolving threats. Board members who rely entirely on management assurances without exercising independent scrutiny may face personal accountability in an APRA enforcement action. For email specifically, boards should receive regular reporting on email security controls (DMARC/DKIM/SPF status, phishing simulation results, account compromise incidents) as part of their CPS 234 obligations.

Third-Party Service Provider Obligations

CPS 234 extends obligations to third-party service providers who manage information assets on behalf of the APRA entity — explicitly including cloud service providers and email hosting. APRA-regulated entities must assess the information security capability of third-party providers, include information security requirements in contracts, and maintain the ability to audit or obtain assurance over third-party security. Using Gmail or Microsoft 365 as your primary business email creates a CPS 234 vendor management obligation: you must assess their security capability, obtain contractual commitments, and have access to security assurance. Most regulated entities find this easier to satisfy with an IRAP-assessed, ISO 27001 certified Australian provider than with US mega-platforms whose terms prohibit audit rights.

Information Security Control Framework for Email

• Email authentication: DMARC at p=reject enforcement, DKIM signing, and SPF at all enforcement level. This is baseline under CPS 234.
• Encryption: AES-256 at rest, TLS 1.3 in transit. Email encryption must be documented and evidenced for APRA assurance.
• Multi-factor authentication: Mandatory for all email access — no exceptions for senior staff. APRA has referenced absent MFA in enforcement guidance.
• Audit logging and retention: Email audit logs must be retained to support forensic investigation and APRA supervisory review. Typically 7 years for APRA entities.
• Access controls: Role-based access, privilege minimisation, and periodic access reviews for all email system access.
• Phishing controls: Email filtering, sandboxing, and staff phishing awareness training. CPS 234 requires controls to be tested and evidenced.
• Incident response: Email compromise incidents must be assessed against the 72-hour APRA notification threshold as well as the 30-day NDB threshold.

Triennial Testing Requirements

CPS 234 requires APRA-regulated entities to conduct penetration testing of their information security controls on a triennial (every three years) basis at minimum, or more frequently following material changes to systems or the threat environment. Email infrastructure and authentication controls should be included in penetration testing scope. The test results and remediation status must be reported to the board and available to APRA on request. Third-party testing (by an independent, qualified security firm) is expected — internal-only testing generally does not satisfy the standard.