If you provide IT services, cloud infrastructure, data analytics, payments processing, or any technology service to an Australian bank, insurer, or superannuation fund, your clients are governed by APRA's CPS 234. And increasingly, their compliance obligations are becoming your business problem too.

CPS 234 has been in force since 1 July 2019, but the practical intensity of MSP scrutiny has shifted considerably. With CPS 230 contractual requirements taking effect on 1 July 2026, APRA-regulated entities are actively reviewing their service provider arrangements and demanding demonstrable security capability - not just contract representations.

The challenge for material service providers is that most of the published guidance focuses on the regulated entity. The banks have frameworks. The insurers have compliance teams. The super funds have governance committees. But the IT managed service provider serving three regional banks, or the data analytics firm processing claims data for a major insurer, often has no structured response to the question: are you CPS 234 compliant?

This guide is written specifically for service providers - not for banks, not for insurers, but for the companies that serve them. It covers what CPS 234 requires, how it applies to MSPs in practice, a step-by-step compliance roadmap with timelines, a detailed checklist, and the common mistakes that put supplier relationships at risk.

The goal is not to alarm you. MSPs that invest in CPS 234 alignment win more contracts, retain clients through regulatory cycles, and command premium positioning in the financial services supply chain. This is a competitive advantage, not just a compliance obligation.

What Is CPS 234 and Why Does It Matter to Service Providers?

CPS 234 - Prudential Standard CPS 234: Information Security - is an APRA standard that has applied to all APRA-regulated entities since 1 July 2019. It sets minimum requirements for information security capability, policy frameworks, information asset management, control testing, and incident notification. Its primary audience is banks, general insurers, life insurers, and superannuation fund trustees.

CPS 234 does not impose direct obligations on service providers. APRA supervises regulated entities, not their suppliers. But the standard requires regulated entities to manage the information security risks posed by third parties that manage their information assets. In clause 15, CPS 234 explicitly requires regulated entities to assess whether third-party security measures are commensurate with the potential consequences of an information security incident.

What this means for MSPs: CPS 234 places the compliance obligation on your client, not on you. But your client cannot demonstrate compliance without evidence that their material service providers - the companies managing or accessing their critical information assets - have adequate security controls in place.

The regulated entity's compliance problem becomes your due diligence problem. If you cannot satisfy your client's information security assessment, you cannot keep the contract.

The commercial stakes are real. APRA's supervisory agenda for 2026 includes formal review of regulated entities' third-party risk management programs. Regulated entities that cannot demonstrate they have assessed and assured their MSPs' security capability face regulatory findings. That pressure flows directly to their supplier base.

For MSPs, the question is not whether CPS 234 applies to you. It is whether you can demonstrate enough alignment to satisfy your clients' assessment requirements - and whether you have built that capability before your client asks for it, or after.

Are You a Material Service Provider?

APRA's definition of a material service provider comes primarily from CPS 230, which governs operational risk management and became effective on 1 July 2025. Under CPS 230, a material service provider is a third party that provides a service that, if disrupted, would have a significant impact on a regulated entity's ability to conduct a critical operation or meet its obligations to depositors, policyholders, or beneficiaries.

The regulated entity is responsible for classifying its service providers. They maintain a register, assess each arrangement, and make the materiality determination. But MSPs do not need to wait for that classification to prepare.

If your services fall into any of these categories and you serve APRA-regulated clients, assume you are material:

The principle is straightforward: if a disruption to your service would prevent your client from running a critical operation or meeting their obligations, you are material. If you handle or have access to sensitive customer, financial, or operational data, expect CPS 234 requirements to apply.

The proactive MSP advantage: MSPs that proactively classify their own materiality and approach clients with a CPS 234 readiness position - before the client asks - have a measurable advantage in contract renegotiations. You are demonstrating security leadership, not just compliance responsiveness.

What CPS 234 Requires - Through the MSP Lens

The following walks through each major CPS 234 obligation area and translates it into what it means for a service provider managing information assets on behalf of APRA-regulated clients.

Information Security Capability

CPS 234 requires regulated entities to maintain information security capability commensurate with the size and extent of threats to their information assets. When those assets are managed by a third party, the capability obligation extends to that third party's environment.

For MSPs, this means your security program must be adequate for the sensitivity and criticality of the information you hold. A small MSP managing low-sensitivity administrative data may have a proportionate but minimal program. An MSP processing payment transactions or managing identity access for a bank requires a materially more robust capability.

What regulated entities look for: dedicated or retained security expertise, a documented security program with defined scope, security architecture that is appropriate to data classification, and evidence that the program is active rather than theoretical.

Policy Framework

CPS 234 requires a policy framework commensurate with the regulated entity's exposures. When an MSP manages information assets on their behalf, the regulated entity will expect that the MSP has its own complementary policy framework covering the relevant domains.

The policies that MSPs are most commonly asked to produce during due diligence include: information security policy, access management and identity policy, change management policy, incident response policy, business continuity and disaster recovery policy, and third-party management policy covering the MSP's own subcontractors.

These are not complex documents, but they need to be current, approved at an appropriate governance level, and consistently applied. A policy last reviewed in 2022 or one that has never been tested against actual practice will not survive scrutiny.

Information Asset Management

CPS 234 requires regulated entities to classify their information assets by criticality and sensitivity, including those managed by third parties. This creates a direct obligation for the regulated entity to understand what their MSPs hold - and a practical obligation for MSPs to be able to tell them clearly.

MSPs should maintain an information asset register that covers: what client data they hold, where it is stored (including region and cloud provider), who has access to it and under what conditions, how it is classified and protected, and what third parties (subcontractors, cloud providers) also have access.

Fourth-party risk is a significant gap for many MSPs. If you rely on AWS, Azure, or a subcontracted managed service to deliver your client's services, your regulated client needs assurance over that entire chain - not just your direct operations.

Control Testing and Assurance

CPS 234 clause 36 requires regulated entities to test information security controls, including those operated by third parties, through a systematic testing program. In practice, this means your regulated clients may request: penetration testing reports, vulnerability scan results, access review evidence, and control effectiveness documentation.

MSPs should establish a regular testing cadence: annual penetration testing by an independent assessor (not your own team), quarterly vulnerability scanning, annual access reviews, and ongoing security monitoring. The outputs need to be documented and available for client review.

ISO 27001 certification or SOC 2 Type II reports are valuable here - they demonstrate independent verification of your security management system. But they do not replace the need to share relevant testing evidence with regulated clients on request.

Incident Management and Notification

CPS 234 requires regulated entities to have mechanisms to detect, manage, and respond to information security incidents, and to notify APRA of material incidents within 72 hours. Your role as an MSP in that process is critical.

If an incident occurs in your environment that affects your client's information assets, your client needs enough information - fast enough - to assess whether it is reportable to APRA. That means your incident notification to the client must be structured, timely, and contain the right information.

The 72-hour chain: Under CPS 234, regulated entities must notify APRA of material information security incidents within 72 hours of becoming aware. Your incident notification to your client needs to happen early enough in that window for them to assess, escalate internally, and report if required. For material incidents, your initial notification to the client should occur within hours - not days.

MSPs that have not thought through this notification chain before an incident are the ones that create regulatory risk for their clients. Clients do not forget that experience, and it directly affects whether the relationship continues.

Audit and Access Rights

This is the requirement that surprises many MSPs when they first encounter it. CPS 230 requires regulated entities' contracts with material service providers to include explicit provisions allowing the regulated entity - and APRA - to conduct audits, access records, and perform supervisory reviews of the MSP's environment.

APRA exercising its direct access rights over an MSP is not a hypothetical. The April 2026 amendments to CPS 230 strengthened the language around APRA's ability to require information directly from material service providers during supervisory reviews. If your contracts do not accommodate this, they are not CPS 230-compliant.

In practice, this means: your standard contract terms need to include audit rights clauses, you need a process for facilitating audit requests without disrupting operations, and your subcontracts need back-to-back provisions that allow you to honour your audit obligations even when the relevant environment is operated by a third party.

The CPS 230 Connection - Why 1 July 2026 Is the Forcing Function

CPS 230 - Prudential Standard CPS 230: Operational Risk Management - became effective on 1 July 2025. The transitional period for material service provider contractual requirements runs until 1 July 2026. From that date, every APRA-regulated entity must have written, CPS 230-compliant agreements in place with all classified material service providers.

Those contracts must include, at minimum: service level commitments and notification obligations; business continuity requirements and BCP testing participation; audit and access rights for the regulated entity and APRA; exit and transition arrangements with documented timelines; and security obligations that reference CPS 234 information security requirements.

The CPS 234 and CPS 230 relationship is direct. CPS 234 defines the information security standards. CPS 230 creates the contractual mechanism through which those standards are imposed on the supply chain. An MSP that meets CPS 234 requirements satisfies the information security component of a CPS 230-compliant contract. An MSP that cannot demonstrate CPS 234 alignment creates a compliance gap for its regulated client that must be remediated or managed.

1 July 2026: All APRA-regulated entities must have CPS 230-compliant contracts in place with their material service providers by this date. If your regulated clients have not yet approached you about contract updates, expect that conversation before the end of June. The window for preparation is closing. MSPs that have already done the work will negotiate from a position of strength.

APRA released final targeted amendments to CPS 230 on 30 April 2026, providing additional clarity on MSP classification criteria, notification timeframe expectations, and the scope of APRA's direct access rights during supervisory reviews. Those amendments signal that APRA is treating the 1 July 2026 deadline seriously and will be reviewing compliance with MSP obligations as part of its 2026 supervision program.

Step-by-Step CPS 234 Compliance Roadmap for MSPs

The following eight-step roadmap is designed for a material service provider starting from a typical MSP security posture - some documented policies, basic IT controls, and an existing client relationship that will now require formal CPS 234 assurance. The timeline assumes a full-time resource or an engaged fractional CISO. A part-time approach extends the timeline proportionally.

1
Weeks 1-2

Determine Your Materiality Status

Review each client relationship where the client is an APRA-regulated entity. For each, assess whether your services support a critical operation as defined under CPS 230. Document your assessment - which services are material, which clients are regulated, and what information assets you manage. This scoping exercise defines the compliance perimeter for everything that follows.

2
Weeks 2-4

Map Your Information Assets

Produce a structured information asset register covering all data you hold, process, or have access to on behalf of regulated clients. Classify each asset by sensitivity and criticality. Document storage locations, data flows, access controls, and any third-party or subcontractor involvement. The register does not need to be complex - it needs to be accurate and current. This becomes the foundation for your risk assessment and your response to client due diligence questionnaires.

3
Weeks 4-8

Conduct a Gap Assessment Against CPS 234

Assess your current security posture against each CPS 234 obligation area: information security capability, policy framework, information asset management, control testing, and incident management. For each area, document what you have, what is missing or insufficient, and the risk associated with each gap. Prioritise gaps by their potential impact on regulated clients. The output is a prioritised remediation roadmap - not a theoretical audit, but a practical list of what needs to be built or improved, in what order, and by when.

4
Weeks 6-12

Build Your Control Evidence Pack

Develop or update the core policies your regulated clients will request: information security policy, access management policy, change management policy, incident response policy, business continuity policy, and third-party management policy. Collect control evidence: an independent penetration test report from the last 12 months, vulnerability scan outputs, access review records, and security awareness training documentation. If you hold ISO 27001 or SOC 2, map those controls to CPS 234 requirements and identify gaps. Package the evidence into a client-ready security profile that can be shared as part of due diligence - structured, accessible, and updated at least annually.

5
Weeks 8-10

Establish Incident Response and Notification Processes

Build or update your incident response plan to include financial services-specific scenarios: data breach affecting client information assets, system disruption affecting a critical operation, third-party security incident with downstream impact. Define your internal escalation path and your client notification workflow - including who notifies the client, what information is included in the initial notification, and what follow-up is expected. Test the process with a tabletop exercise. Document your incident classification criteria - what makes an incident "material" for purposes of client notification - aligned to APRA's threshold for regulated entity reporting.

6
Weeks 10-12

Prepare for Audit and Access Rights

Review your standard contract terms and update them to accommodate audit and access rights for regulated clients and for APRA. Build an internal audit facilitation process: who handles audit requests, what records are accessible and how, how confidentiality obligations are managed alongside access requirements. Update your subcontracts to include back-to-back audit provisions - if you rely on a third party to deliver services to your regulated client, that third party needs to accommodate audit access as well. Document the process so it can be executed without delay when a request arrives.

7
Weeks 10-14

Support Business Continuity Testing

Develop business continuity and disaster recovery plans that address the specific services you deliver to regulated clients - not just your general IT continuity posture. Define recovery time objectives and recovery point objectives for each critical service, and communicate these to your regulated clients so they can incorporate them into their own continuity planning. Test your recovery capability - document the test, record the results, and capture the lessons. Engage your regulated clients' business continuity exercises when invited. Document your participation.

8
Weeks 12-16 and ongoing

Build Ongoing Compliance Processes

CPS 234 compliance is not a one-time project. Establish the processes that maintain your compliance posture over time: a regular control testing schedule (annual penetration testing, quarterly vulnerability scanning, annual access reviews), a policy review cycle, a compliance calendar aligned to your clients' reporting periods, and a named individual or team responsible for CPS 234 compliance oversight. Build a continuous improvement process so that gaps identified during testing or client reviews are tracked to remediation. Review your compliance posture whenever you take on a new regulated client or change the nature of the services you provide.

CPS 234 Compliance Checklist for Material Service Providers

Use the following checklist to assess your current CPS 234 readiness position. Each item represents a control area that regulated entities will expect to see addressed during due diligence. This checklist can also be used as a lead magnet or client-facing document with your own branding.

Governance and Policy

  • Information security policy documented, current, and approved at the appropriate governance level
  • Roles and responsibilities for information security clearly defined across the organisation
  • Security risk management framework in place with documented risk register
  • Third-party and subcontractor management policy covering how you assess and oversee your own suppliers
  • Annual policy review schedule established and documented
  • Board or executive visibility over information security risks and compliance status

Information Asset Management

  • Client information asset register maintained and current, covering all regulated client data
  • Assets classified by criticality and sensitivity, with classification criteria documented
  • Data flow diagrams documented for regulated client data showing storage locations and access paths
  • Fourth-party dependencies mapped - all subcontractors and cloud providers that access or process regulated client data
  • Access to client information assets restricted to authorised personnel with documented access controls
  • Data handling and disposal procedures documented and consistent with client contractual obligations

Control Testing and Evidence

  • Annual penetration testing conducted by an independent assessor covering systems managing regulated client data
  • Vulnerability scanning on at least a quarterly cadence with remediation tracking
  • Access reviews completed at least annually for all accounts with access to regulated client information assets
  • Security awareness training delivered to all staff and contractors with access to regulated client systems
  • Control effectiveness assessment documented and available for client review on request
  • ISO 27001 or SOC 2 certification in place or in progress (strongly recommended for high-criticality MSPs)

Incident Management and Notification

  • Incident response plan documented with financial services-specific scenarios and playbooks
  • Client notification process defined - 24 to 72 hour target for material incidents affecting regulated client assets
  • Incident classification criteria aligned to APRA's materiality threshold for regulated entity notification obligations
  • Internal escalation path documented and tested - who is responsible for triggering client notification
  • Tabletop exercise conducted at least annually covering relevant incident scenarios
  • Incident register maintained with root cause analysis and remediation tracking

Audit and Access Rights

  • Standard contract terms updated to accommodate audit rights for regulated clients and APRA
  • Audit facilitation process documented - who handles requests, what records are accessible, how requests are prioritised
  • Evidence pack maintained and refreshed at least annually, available for client due diligence requests
  • Subcontracts include back-to-back audit and access provisions for relevant third parties
  • CPS 234 compliance oversight assigned to a named individual or team with documented responsibilities

Business Continuity

  • BCP and DR plans documented for the specific services provided to APRA-regulated clients
  • RTOs and RPOs defined for each critical service and communicated to regulated clients
  • Recovery capabilities tested at least annually with documented results
  • Participation in client BCP testing exercises documented and incorporated into your own continuity program
  • Dependencies mapped - including cloud provider continuity positions and subcontractor BCP status
  • Exit and transition arrangements documented - how you would support a regulated client transitioning away from your services

Common Mistakes MSPs Make - and How to Avoid Them

Having worked with technology service providers preparing for APRA client requirements, the following are the gaps that appear most frequently - and that create the most significant risk to client relationships.

Waiting to be asked. MSPs that wait for their regulated client to send a compliance questionnaire are already behind. Proactive MSPs approach their clients with a CPS 234 readiness position before the question arises. That positions you as a security-mature partner, not a supplier managing a compliance deadline.

Treating it as a one-time project. CPS 234 compliance is a continuous program, not a certification you obtain and file away. Regulated entities expect ongoing assurance - annual evidence updates, current certifications, and responsive engagement with their periodic reviews. An MSP that completes a gap assessment but does not maintain the outcomes over time will fall back out of compliance within 12 months.

Ignoring fourth-party risk. If you rely on a cloud provider, a subcontracted managed service, or a SaaS platform to deliver your client's services, those dependencies are in scope for CPS 234 assurance. Your client will ask what oversight you have over your own supply chain. Have a documented answer.

Assuming ISO 27001 or SOC 2 is sufficient on its own. These certifications are strong evidence of information security capability and cover substantial overlap with CPS 234. But they do not address APRA-specific requirements around direct access rights, the 72-hour notification chain, or APRA's ability to conduct supervisory reviews of your environment. Map your certifications to CPS 234 requirements and document the gaps.

Underestimating the notification timeline. Many MSPs have incident response plans that assume several business days for client notification. Under CPS 234's implicit requirements, that is too slow. If your regulated client has a 72-hour window to notify APRA, and your incident notification arrives on day two, you have left them almost no time to assess, escalate, and report. Build your notification process for hours, not days.

Not preparing for APRA direct access. The April 2026 CPS 230 amendments strengthened APRA's ability to require information directly from MSPs during supervisory reviews. If your current contracts do not accommodate this, they are out of compliance from 1 July 2026. Update your terms before your clients ask you to.

How Logic Weave Helps Material Service Providers

Logic Weave works with material service providers to build CPS 234-aligned security programs that satisfy regulated client requirements and position MSPs for long-term retention in the financial services supply chain.

Our engagements follow the roadmap above: gap assessment against CPS 234, remediation program covering policy, controls, and evidence, incident response and notification process development, and ongoing compliance support through a fractional CISO arrangement. We work to defined milestones with board-ready reporting at each stage.

If your regulated clients have not yet raised CPS 234 with you, it is coming. The 1 July 2026 CPS 230 deadline means that conversation will happen before mid-year. Arriving prepared - with a structured security program, current evidence, and a clear compliance position - changes the nature of that conversation entirely.

You can review our dedicated CPS 234 compliance services page for detail on engagement structure and deliverables, or book a 30-minute call to discuss your current readiness position.

Frequently Asked Questions

What is CPS 234 and who does it apply to?

CPS 234 (Prudential Standard CPS 234 - Information Security) is an APRA standard effective since 1 July 2019 that sets minimum information security requirements for all APRA-regulated entities, including banks, insurers, and superannuation fund trustees. While it directly applies to the regulated entity, material service providers are indirectly in scope because regulated entities must manage the information security risks posed by their third parties and will flow requirements down through contracts and due diligence.

Does CPS 234 directly apply to material service providers?

No - CPS 234 places obligations on the APRA-regulated entity, not the service provider. But regulated entities flow down CPS 234 requirements through contracts, due diligence processes, and audit programs. If you cannot demonstrate the controls your client needs, you risk losing the contract or being subject to remediation demands. The practical effect is that MSPs must align to CPS 234 requirements even though they are not directly regulated by APRA.

What is the difference between CPS 234 and CPS 230 for MSPs?

CPS 234 covers information security specifically - the controls, policies, testing, and incident management requirements your regulated clients need to see. CPS 230 covers operational risk management more broadly, including the contractual framework through which CPS 234 requirements are imposed on MSPs. CPS 230 creates the contract; CPS 234 defines the information security content of that contract. For MSPs, CPS 234 alignment satisfies the security obligations within a CPS 230-compliant arrangement.

What is the 1 July 2026 deadline and how does it affect MSPs?

From 1 July 2026, all APRA-regulated entities must have CPS 230-compliant written agreements in place with their material service providers. These contracts must include provisions for audit and access rights, business continuity, notification obligations, and information security requirements aligned to CPS 234. MSPs that are not prepared may face demands to remediate gaps under compressed timelines, or risk being replaced.

What information security controls do MSPs need for CPS 234?

MSPs should demonstrate: a documented information security policy framework; information asset classification covering regulated client data; access controls appropriate to data sensitivity; regular control testing - annual penetration testing, quarterly vulnerability scanning, annual access reviews; an incident response plan with defined notification timelines for regulated clients; business continuity and disaster recovery capability; and third-party management covering their own subcontractors. The specific depth required depends on the nature and sensitivity of information assets managed.

What should an MSP's incident notification process include?

An MSP's incident notification process should include: incident detection and classification criteria aligned to APRA's materiality threshold; internal escalation procedures; client notification within 24 to 72 hours for material incidents; sufficient detail for the client to assess their own APRA reporting obligations; evidence preservation; root cause analysis; and remediation tracking. Under CPS 234, regulated entities must notify APRA within 72 hours - your notification to the client must occur early enough in that window for their assessment and reporting process.

Do MSPs need to allow APRA access to their systems?

Yes - regulated entities' contracts with material service providers must include provisions allowing APRA to conduct direct examinations and obtain information from the MSP. The April 2026 amendments to CPS 230 strengthened this language. In practice, APRA exercises this right selectively during supervisory reviews. MSPs must be prepared for regulatory examinations including documentation requests and, in some circumstances, system access.

Can ISO 27001 or SOC 2 satisfy CPS 234 requirements for MSPs?

ISO 27001 and SOC 2 provide strong evidence of information security capability and cover significant overlap with CPS 234. But they do not address all CPS 234-specific requirements, including APRA's direct access rights, the 72-hour notification chain, and APRA's supervisory review provisions. The recommended approach is to map your existing certifications to CPS 234 requirements, identify gaps, and address those specifically. Certifications become part of your evidence pack, not a complete substitute for CPS 234 alignment.

How long does CPS 234 compliance take for an MSP?

A typical CPS 234 alignment program takes 12 to 16 weeks for an MSP with a basic existing security posture. This includes gap assessment (2 to 4 weeks), policy and control development (4 to 8 weeks), evidence collection and testing (4 to 6 weeks), and process establishment (2 to 4 weeks). MSPs with ISO 27001 or SOC 2 certifications can often complete alignment faster, as many controls already exist and only CPS 234-specific gaps need to be addressed.

What is a CPS 234 gap assessment for an MSP?

A CPS 234 gap assessment evaluates your current information security posture against each relevant CPS 234 obligation area - information security capability, policy framework, asset management, control testing, and incident management. The output is a prioritised remediation roadmap showing what needs to be built or improved, in what order, and by when. It also produces the documentation you need to communicate your compliance position to regulated clients. Logic Weave's gap assessment includes a board-ready summary and a structured evidence workbook.

What happens if an MSP cannot demonstrate CPS 234 alignment?

If an MSP cannot demonstrate adequate information security controls, the regulated entity faces compliance risk in its own CPS 234 and CPS 230 obligations. In practice, the regulated entity may require accelerated remediation with contracted milestones, impose additional oversight obligations, restrict access to sensitive information assets, or ultimately replace the MSP. For the MSP, failure to align to CPS 234 is a direct commercial risk in financial services supply chains - one that will intensify as APRA increases its supervisory focus on third-party risk in 2026.

What is the best first step for an MSP that has not yet started CPS 234 preparation?

The best first step is a gap assessment - a structured review of your current security posture against the key CPS 234 obligation areas. This gives you a clear picture of where you stand, what needs to be addressed, and the timeline required. With the 1 July 2026 deadline for CPS 230 contract compliance approaching, there is enough time for a well-executed program - but not enough time for a slow start. If you have regulated clients who have not yet raised CPS 234 with you, approach them proactively. The gap assessment gives you the language to have that conversation from a position of substance.