Compliance crosswalk · APRA CPS 234
APRA CPS 234 (Australia) - email + domain controls, mapped to Wiredepth
Framework version: In force since 1 July 2019; ongoing examination focus, particularly after the 2022-2024 industry breach review (Optus, Medibank, Latitude)
Who this is for. APRA-regulated entities in Australia: authorised deposit-taking institutions (ADIs - banks, credit unions, building societies), general insurers, life insurers, private health insurers, and registered superannuation entities (RSEs). Plus any service provider managing information assets on behalf of an APRA-regulated entity (CPS 234 paragraph 10 extension).
Where email + domain controls fit.CPS 234 organises requirements around an entity's information-security capability, including roles + responsibilities, control framework, response capability, independent testing, and incident reporting. Email + domain-posture controls show up most directly under Information Security Capability (paragraphs 13-15), Implementation of Controls (16-18), and Incident Management (33-35). For service-provider arrangements, paragraph 10 extends the same expectations to authorised email-sending vendors.
Why now. APRA stepped up CPS 234 examinations after the 2022 Medibank breach and 2023 Latitude Financial breach pushed cyber to the top of the supervisor agenda. Most APRA-regulated entities are deep into compliance audit + remediation cycles. Email is an under-tested surface relative to network controls; gaps are easy to measure and close.
Clause-by-clause mapping
Each row maps a specific APRA CPS 234requirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
Para. 13 (Information Security Capability) Authentication | Maintain an information-security capability commensurate with the size + extent of threats to its information assets. Email-borne threats (BEC, brand impersonation, customer phishing) are explicitly named in APRA's CPG 234 guidance. | DMARC + SPF + DKIM analyzer scores email-auth posture. Spoofability check gives a yes / maybe / no verdict on third-party impersonation - the BEC defense bar APRA cites. |
Para. 14 (Roles + responsibilities) Reporting | The Board has ultimate responsibility for the entity's information security. Board reporting must include measurable indicators of email + identity-control effectiveness. | Email-auth scorecard PDF is the kind of timestamped, attestable artifact the Board risk + audit committees actually read. Watermarked URL for governance records. |
Para. 15 (Policy framework) Authentication | Maintain an information-security policy framework + standards. Email authentication standards (DMARC, SPF, DKIM, MTA-STS) sit inside this framework. | Continuous monitoring of DMARC / SPF / DKIM / MTA-STS posture demonstrates the policy is operating, not just documented. Change history evidences ongoing adherence. |
Para. 17 (Asset identification) Inventory | Identify the entity's information assets, including categorisation by criticality + sensitivity. Includes the email-sending vendors authorised on behalf of the entity. | Vendor consolidation audit inventories every third party authorised in SPF / DKIM / MX / DMARC, with blast-radius rating per vendor. CPS 234 asset-identification evidence for the third-party email surface. |
Para. 18 (Service provider arrangements) Inventory | When information assets are managed by a related or third party, the entity must assess the information security capability of that party. APRA explicitly extends responsibility here - the entity cannot delegate accountability. | Vendor consolidation report + de-authorization guides cover both the inventory and the offboarding side of the third-party email-sender lifecycle. Vendor monitoring (Pro+) tracks ongoing third-party posture changes. |
Para. 23-24 (Independent testing) Monitoring | The entity's information-security controls must be subject to systematic testing - frequency commensurate with the rate of change in controls + information-security environment. | Continuous-monitoring tracks DMARC / SPF / DKIM / MTA-STS posture and alerts on regressions. Change-history snapshots = automated systematic testing evidence APRA examiners ask for. |
What auditors actually look at
From APRA examinations 2023-2025, here's what comes up most often when email + domain posture is in scope:
- Documented DMARC enforcement posture. p=none on a customer-facing domain is increasingly treated as a finding rather than an acceptable interim. APRA-regulated entities are expected to progress to p=reject within a defined timeframe.
- Third-party email-sender inventory. CPS 234 paragraph 18 is among the most-tested clauses. Examiners want to see which vendors send as you, what data they handle, when relationships were last reviewed.
- Customer impersonation controls. ScamWatch + ACMA increasingly flag bank-impersonation campaigns in Australia. Brand-watchlist alerts with demonstrated response history is direct evidence of capability under paragraph 13.
- 72-hour notification timeline. Paragraph 35 is unforgiving on timing. An audited incident-detection + escalation workflow (vs "we forward suspicious emails to abuse@") shortens the time-to-awareness that drives the 72-hour clock.
- Continuous monitoring tied to material change. Paragraph 23 testing expectation. Alert-on-DMARC- regression history with documented remediation is the standard examiners cite.
- Cross-border considerations. Australian banks with NZ or Pacific subsidiaries face overlapping expectations from RBNZ (similar regime) + APRA. A single posture evidence trail that cites both is the efficient pattern.
Generate a APRA CPS 234-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a APRA CPS 234 README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.