How long do I have to notify APRA of a cyber incident?

Under CPS 234, no later than 72 hours after becoming aware of a material information security incident. Under CPS 230 (effective from 1 July 2025), no later than 24 hours after identifying an operational risk event with material financial impact or material impact on critical operations. Most serious cyber incidents trigger both, and the tighter clock controls — plan for 24 hours, not 72.

Does CPS 234 apply to my workloads on AWS?

Yes, if your entity is APRA-regulated. CPS 234 is technology-neutral — running on AWS, on-premises, or a hybrid does not change the obligation. The board of the APRA-regulated entity remains accountable for information security of all systems used by the entity, regardless of where they run or who operates them. Outsourcing the workload does not outsource the obligation.

What counts as a 'material' information security incident?

An incident that has materially affected, or had the potential to materially affect, the entity or the interests of depositors, policyholders, beneficiaries, or customers — financially or non-financially. The materiality threshold is set by the entity but must be documented, board-approved, and applied consistently. Trigger (b) also requires APRA notification of any incident notified to any other regulator anywhere — meaning a notification to OAIC, CERT-In, or MAS automatically pulls in APRA.

Does CPS 230 change anything for cloud incidents?

Yes, significantly. CPS 230 imposes a 24-hour notification window for material operational risk events affecting critical operations, and requires formal classification of AWS as a 'material service provider' with documented oversight obligations. For most APRA-regulated entities running on AWS, CPS 230 is now the tighter cyber notification clock, not CPS 234.

Do I need to notify APRA if I've already notified OAIC?

Yes. CPS 234 paragraph 35(b) requires APRA notification of any incident notified to another regulator, anywhere — including OAIC, CERT-In, MAS, or any overseas authority. The 72-hour clock starts when you decide to notify the other regulator, not when you submit. The APRA notification should follow the same factual basis as the other regulator notifications.

How does APRA view AWS — is it a 'material service provider'?

Under CPS 230, AWS is almost certainly a material service provider for any APRA-regulated entity that runs core systems on it. This brings formal due diligence, ongoing oversight, exit planning, and concentration risk management requirements. AWS publishes APRA-aligned documentation and supports the audit and oversight expectations, but the obligation to manage the relationship is yours.

APRA CPS 234 on AWS: Notification, Material Weakness, and the CPS 230 Overlay

Inside the guide

APRA Prudential Standard CPS 234 imposes a 72-hour notification obligation for material information security incidents on Australian banks, insurers, and superannuation funds. CPS 230, effective from 1 July 2025, adds a 24-hour notification for material operational risk events — which most cyber incidents now trigger. The 24-hour clock controls in practice. Hitting it on AWS requires a documented materiality model that an operations team can apply at 2am, a board-approved incident commander with standing notification authority, and an evidence stack in ap-southeast-2 or ap-southeast-4 that can quantify customer impact within hours. This guide covers what CPS 234 and CPS 230 actually require, how to read them together, and the AWS-specific operational changes that follow.

The full regulatory rule, plain-language
An hour-by-hour (or day-by-day) runbook
The pre-incident AWS hardening that meets the standard
Common mistakes seen in practice
What to do this week to get ahead

Frequently asked questions

How long do I have to notify APRA of a cyber incident?: Under CPS 234, no later than 72 hours after becoming aware of a material information security incident. Under CPS 230 (effective from 1 July 2025), no later than 24 hours after identifying an operational risk event with material financial impact or material impact on critical operations. Most serious cyber incidents trigger both, and the tighter clock controls — plan for 24 hours, not 72.
Does CPS 234 apply to my workloads on AWS?: Yes, if your entity is APRA-regulated. CPS 234 is technology-neutral — running on AWS, on-premises, or a hybrid does not change the obligation. The board of the APRA-regulated entity remains accountable for information security of all systems used by the entity, regardless of where they run or who operates them. Outsourcing the workload does not outsource the obligation.
What counts as a 'material' information security incident?: An incident that has materially affected, or had the potential to materially affect, the entity or the interests of depositors, policyholders, beneficiaries, or customers — financially or non-financially. The materiality threshold is set by the entity but must be documented, board-approved, and applied consistently. Trigger (b) also requires APRA notification of any incident notified to any other regulator anywhere — meaning a notification to OAIC, CERT-In, or MAS automatically pulls in APRA.
Does CPS 230 change anything for cloud incidents?: Yes, significantly. CPS 230 imposes a 24-hour notification window for material operational risk events affecting critical operations, and requires formal classification of AWS as a 'material service provider' with documented oversight obligations. For most APRA-regulated entities running on AWS, CPS 230 is now the tighter cyber notification clock, not CPS 234.
Do I need to notify APRA if I've already notified OAIC?: Yes. CPS 234 paragraph 35(b) requires APRA notification of any incident notified to another regulator, anywhere — including OAIC, CERT-In, MAS, or any overseas authority. The 72-hour clock starts when you decide to notify the other regulator, not when you submit. The APRA notification should follow the same factual basis as the other regulator notifications.
How does APRA view AWS — is it a 'material service provider'?: Under CPS 230, AWS is almost certainly a material service provider for any APRA-regulated entity that runs core systems on it. This brings formal due diligence, ongoing oversight, exit planning, and concentration risk management requirements. AWS publishes APRA-aligned documentation and supports the audit and oversight expectations, but the obligation to manage the relationship is yours.