Is your cloud tenancy aligned to APRA CPS 234?

What executives in APRA-regulated organisations need to check now

For executive teams in APRA-regulated organisations such as banks, insurers, and superannuation funds, cybersecurity oversight is a defined responsibility. APRA requires regulated entities to ensure the protection of sensitive data, enforce structured  governance, and maintain operational integrity across all digital environments,  including cloud.

Cloud platforms such as Microsoft Azure and AWS enable scale and efficiency, but  tenancy design, access controls, and monitoring protocols must be configured with  governance in mind. APRA CPS 234 sets a clear standard. It requires that information assets are consistently secured, monitored, and managed in line with defined  obligations. 

What’s required under CPS 234

APRA CPS 234 applies to all APRA-regulated entities and covers systems owned and  operated by third parties. It outlines a set of information security requirements  designed to maintain resilience across critical operations.

Key principles include:

• Identification of information assets and their criticality
• Defined roles and accountability for cyber risk
• Maintenance of information security capability
• Implementation of controls to protect data from compromise
• Regular testing of systems and incident response plans

Tenancy structure supports compliance

A well-designed cloud tenancy can be one of your strongest enablers of compliance. When structured around your business functions and internal governance model, it allows your organisation to maintain clear oversight of access, enforce security policies consistently, and align operations with regulatory frameworks such as APRA CPS 234  and ISO 27001.

Rather than relying on generic configurations, a purpose-built tenancy reflects your organisational structure, separating workloads by function, applying role-based access controls, and supporting data sovereignty requirements.

This structure also supports internal and external reporting, with clear audit trails and accountability pathways. By embedding these controls into the tenancy from the outset, firms strengthen their ability to respond confidently to audits, incidents, or client due diligence requests.

For APRA-regulated organisations, this level of design maturity enables security and compliance to operate in the background, supporting day-to-day productivity while maintaining a defensible, standards-aligned position.

Changes from insurers and clients

Cyber insurance providers now assess firms against a defined set of control  expectations. These include 24x7 threat monitoring, formal response planning, and evidence of tested security controls. Gaps in these areas often lead to delayed coverage, exclusions, or increased premiums.

Clients are also reviewing supplier security as part of procurement and contract renewal. Legal, accounting, and advisory firms working with confidential data are expected to maintain consistent safeguards across their digital systems.