FOR FINANCIAL SERVICES & APRA-REGULATED

Customer trust, on the line of every control.

Cybersecurity designed for APRA CPS 234, customer data, payment integrity and the third-party risk that the regulator now asks about by name.

Who this is forAPRA banks & insurersSuper fundsAFSL holders & advisersAccounting & audit firmsMortgage brokersFintechs
The pattern

Financial services is where the regulator looks first.

Customer data, payment systems, third-party risk and AFSL obligations all converge. The control evidence has to be there before the next CPS 234 review.

APRA CPS 234 evidence

The regulator does not accept "we have a policy". You need demonstrable, current control evidence across information security capability, incident response and third-party assurance.

Business email compromise

Finance teams are the BEC target. Invoice fraud, wire redirection, supplier impersonation. A few minutes of inattention costs hundreds of thousands.

Third-party and supply-chain risk

CPS 230 raised the bar on third-party scrutiny. Every material supplier is now your security problem, not theirs.

Privileged and trading-system access

Treasury, trading and core banking systems concentrate the highest-value access. Privileged credentials in spreadsheets are the breach you have not had yet.

The obligation

CPS 234, CPS 230, ASIC RG 255 and the Privacy Act.

Financial services in Australia carries a stack of obligations: APRA CPS 234 on information security, CPS 230 on operational risk and third parties, ASIC RG 255 for AFSL holders, AUSTRAC AML/CTF, and the Privacy Act underneath. Cornerstone builds a program that answers each one with evidence.

What we map to

The frameworks that matter in financial services

  • APRA CPS 234 (information security)
  • APRA CPS 230 (operational risk management, third parties)
  • ASIC RG 255 (AFSL technology risk)
  • AUSTRAC AML/CTF obligations
  • Privacy Act and the Notifiable Data Breaches scheme
  • Essential Eight Maturity Level 2 to 3, depending on profile
What is hitting financial services right now in Australia

The pressures landing on APRA-regulated entities and AFSL holders, in 2025 and 2026.

APRA, ASIC, AUSTRAC and the OAIC are all moving at once. These are the specific things Australian financial leaders are answering for.

01CPS 230

APRA CPS 230 came into force on 1 July 2025.

Operational risk management, business service mapping and third-party scrutiny apply to every APRA-regulated entity. The evidence has to exist, not just the policy.

02CPS 234

Tripartite audits are getting sharper, and the findings are getting specific.

APRA is calling out named control gaps in tripartite letters. Generic information security capability is no longer a passing answer.

03ASIC RG 271 / 255

ASIC expects material cyber controls, evidenced, from AFSL holders.

Information Sheet 271 is now treated as the practical baseline. ASIC is comparing AFSL responses across peers, not just reading them.

04AUSTRAC

AML/CTF reforms have lifted enforcement intensity.

Several major institutions are in active enforcement. Identity and access controls around AML systems are part of that conversation, not separate from it.

05Business email compromise

BEC losses in Australian finance keep rising year-on-year.

Supplier impersonation has overtaken direct phishing. The defence is layered email security, brand protection (DMARC) and trained finance teams.

06Insurers

Cyber renewals now demand evidence of MFA, EDR, immutable backup and PAM.

Underwriters compare answers across peer institutions. A weak answer in one area sets the price for the whole policy.

What we deliver

A program built to pass scrutiny and stand up under attack.

Six controls, mapped to the obligations the regulator and your board actually ask about.

Identity

Phishing-resistant MFA and PAM for the systems that move money

FIDO2 keys for treasury, trading and admin roles. Delinea PAM vaults privileged credentials and records every session. Conditional Access blocks anything off-pattern.

Microsoft EntraConditional AccessDelinea PAMFIDO2 keys
Email & BEC

Layered email defence that catches what slips through

Mimecast in front of Defender for Office for layered detection. Brand protection (DMARC) prevents supplier impersonation; Mimecast Incydr watches for sensitive data leaving over web and personal email.

MimecastDefender for OfficeMimecast AwareMimecast Incydr
Customer data

Labels, DLP and DSPM around customer and transactional data

Purview labels and DLP across M365, Netskope DLP for everything leaving over web and SaaS, Cyera DSPM mapping where customer data actually lives across the estate.

Purview DLPNetskope DLPCyera DSPM
Endpoints

EDR with managed hunt for finance-grade detection

CrowdStrike Falcon across the fleet, Falcon Complete for managed hunt where the SOC is lean. Defender for Endpoint where Microsoft-only is the right call.

CrowdStrike FalconFalcon CompleteDefender for Endpoint
Detection & response

A SOC plane that produces real CPS 234 evidence

Microsoft Sentinel and Defender XDR unified, or CrowdStrike NG-SIEM where preferred. Incident playbooks, response runbooks and quarterly tabletops, documented to APRA expectations.

Microsoft SentinelDefender XDRCrowdStrike NG-SIEM
Resilience

Tested, immutable backups for CPS 230 evidence

Core systems, M365 and customer-data stores backed up to immutable storage. Recovery is tested at least quarterly with evidence captured for CPS 230.

VeeamImmutable storageTested recovery
The outcome

A program that produces evidence, not slides.

  • CPS 234 control evidence ready for the next review
  • CPS 230 third-party and resilience answers documented
  • Board-readable posture against Essential Eight ML2 / ML3
  • BEC and supplier impersonation risk materially reduced
  • Privileged access vaulted, rotated, recorded
  • Cyber insurance answers you can stand behind

A cyber program that survives an APRA conversation.

We design, implement and hand over secure systems your team can run, with the evidence to back it up. Senior advice, scoped engagements, no managed-service lock-in.

Common questions

Questions financial services leaders ask before they engage.

Straight answers, no hedging.

Do you have direct CPS 234 experience?

Yes. We map controls explicitly to CPS 234 sub-clauses and produce evidence ready for the next tripartite review, internal audit or external assessor.

How do you handle third-party risk under CPS 230?

We design a third-party assurance baseline, map material providers, and operationalise ongoing assessment so CPS 230 evidence is current, not a once-a-year scramble.

Is Essential Eight ML2 enough for finance?

For most mid-sized financial entities, ML2 is the right minimum. Larger institutions and those holding the most sensitive data should target ML3 in priority areas.

Can you operate alongside our existing SOC or MSSP?

Yes. We integrate cleanly with existing SOC, MSSP or co-managed arrangements. We do not replace your team; we make them more effective.

What is your view on cyber insurance?

It is part of the answer, not the answer. Insurers ask increasingly specific questions about MFA, EDR, backup immutability and PAM. We build a program that answers them with evidence.

Do you work with smaller AFSL holders too?

Yes. The obligations apply, scoped to the size and risk of the licensee. We sequence the controls so the highest-impact ones go live first.