Request Demo
Platform CapabilitiesPolicy Creation and ManagementFile Sharing and CollaborationFile Transfer AutomationFully Governed Email DataData Streaming with Next-gen DRMControlled AI Data AccessSecure Data Intake Via Online FormsUse CasesControl Data ExchangeMeet Regulatory RequirementsSafeguard Private AI DataPartnersTechnology PartnersMSP & MSSP PartnersResellers & Channel PartnersResourcesResource CenterDevelopersCustomersCompanyAbout UsManagementInvestorsCareersTechnical SupportNewsroomTrust PageVulnerability CenterContact UsRequest Demo
Mouseover to personalize your Kiteworks website experience

CPS 234

Meet APRA's information security requirements with robust cyber resilience controls, systematic testing, and clearly defined security governance for regulated entities.

CPS 234 Content

How Kiteworks Supports CPS 234 Compliance

The Australian Prudential Regulation Authority (APRA) introduced Prudential Standard CPS 234 Information Security to ensure that APRA-regulated entities maintain robust information security capabilities commensurate with the threats they face. Kiteworks provides a comprehensive platform that addresses every key requirement of CPS 234, enabling financial institutions, insurers, and superannuation trustees to demonstrate compliance while strengthening their overall cyber resilience posture.

1. Information Security Capability

CPS 234 requires that an APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets. Kiteworks delivers enterprise-grade security capabilities including:

  • Hardened virtual appliance architecture that isolates sensitive data exchange from external threats

  • Multi-layered defense with embedded firewalls, intrusion detection systems, and web application firewalls

  • Automated threat detection using real-time monitoring and anomaly detection across all communication channels

  • Scalable security infrastructure that grows with organizational needs while maintaining consistent protection levels

  • Zero-trust security model ensuring every access request is verified regardless of source location

2. Policy Framework

APRA expects regulated entities to maintain an information security policy framework that is consistent with their exposure to vulnerabilities and threats. Kiteworks supports policy framework requirements through:

  • Granular policy enforcement across file sharing, email, managed file transfer, and web forms

  • Role-based access controls that map directly to organizational security policies and hierarchies

  • Automated policy application ensuring consistent enforcement without manual intervention

  • Policy versioning and audit trails for demonstrating policy lifecycle management to APRA

3. Information Asset Identification and Classification

CPS 234 mandates that regulated entities classify their information assets by criticality and sensitivity. Kiteworks facilitates this requirement with:

  • Comprehensive content visibility across all communication channels including email, file sharing, SFTP, and APIs

  • Data classification integration supporting automatic tagging and handling based on sensitivity levels

  • Centralized asset inventory providing a unified view of all sensitive content and its movement across the organization

  • Metadata tracking that captures who accessed what information, when, and from where

4. Systematic Testing of Security Controls

The standard requires systematic testing of the effectiveness of information security controls through a program that is commensurate with the entity's risk profile. Kiteworks enables testing compliance through:

  • Continuous vulnerability scanning integrated into the platform's security lifecycle

  • Penetration testing support with regular third-party assessments of the platform infrastructure

  • Security control validation through automated testing of access controls, encryption, and data handling procedures

  • Compliance reporting dashboards that track testing outcomes and remediation activities over time

Testing Requirement

Kiteworks Capability

Frequency

Vulnerability Assessment

Automated scanning and reporting

Continuous

Penetration Testing

Third-party assessment support

Annual

Access Control Testing

Automated permission validation

Quarterly

Encryption Verification

TLS/AES compliance checks

Continuous

Incident Response Drills

Simulated breach exercises

Semi-annual

5. Incident Management

CPS 234 requires entities to have mechanisms in place to detect and respond to information security incidents in a timely manner. Kiteworks strengthens incident management capabilities with:

  • Real-time security monitoring with SIEM integration for immediate threat detection and alerting

  • Comprehensive audit logging capturing every file access, user action, and system event for forensic analysis

  • Automated incident response workflows that can quarantine compromised accounts or files instantly

  • Forensic investigation tools enabling rapid identification of breach scope and affected information assets

  • Incident classification and tracking aligned with APRA's severity and notification frameworks

6. Internal Audit

APRA requires that the internal audit function reviews the design and operating effectiveness of information security controls. Kiteworks supports internal audit requirements through:

  • Immutable audit trails that cannot be altered or deleted, ensuring integrity of audit evidence

  • Custom reporting capabilities allowing auditors to generate targeted compliance reports

  • Control effectiveness dashboards providing real-time visibility into security control performance

  • Historical data retention maintaining comprehensive records for audit review periods

7. Third-Party and Related Party Oversight

CPS 234 extends information security obligations to third-party arrangements where information assets are managed. Kiteworks provides robust third-party oversight through:

  • Secure external collaboration with controlled sharing channels that enforce organizational security policies

  • Third-party access monitoring tracking all external user activities and content interactions

  • Vendor risk management support with visibility into how third parties handle sensitive content

  • Contractual compliance enforcement through technical controls that cannot be bypassed by external parties

  • Data residency controls ensuring third-party data handling meets geographic and jurisdictional requirements

8. Board Reporting and Governance

The board of an APRA-regulated entity is responsible for overseeing the entity's information security posture. Kiteworks facilitates board-level governance with:

  • Executive-level dashboards providing summary views of security posture, incidents, and compliance status

  • Risk quantification reporting translating technical security metrics into business risk language

  • Trend analysis and benchmarking showing improvement or degradation of security controls over time

  • Regulatory compliance scorecards mapping platform capabilities to specific CPS 234 requirements

9. APRA Notification Requirements

CPS 234 requires entities to notify APRA of material information security incidents and material information security control weaknesses. Kiteworks helps meet notification obligations by:

  • Automated incident severity classification to quickly determine materiality thresholds for APRA notification

  • Rapid incident documentation generating detailed incident reports suitable for regulatory submission

  • 72-hour notification support ensuring organizations can meet the strict APRA reporting timeline

  • Control weakness identification through continuous monitoring that flags deficiencies before they become material

  • Evidence preservation maintaining detailed records that support APRA investigations and follow-up inquiries

By leveraging Kiteworks' comprehensive security and compliance platform, APRA-regulated entities can systematically address every requirement of CPS 234 while building a stronger, more resilient information security posture that protects sensitive financial data and maintains the trust of their customers and stakeholders.