Reduce key risk surfaces outlined by CPS 234, while protecting authentication, enforcing least privilege, and securing remote access.
APRA CPS 234 is the Australian Prudential Regulation Authority’s information security standard designed to strengthen the cyber resilience of regulated financial institutions. CPS 234 applies to all APRA-regulated entities—including banks, insurers, and superannuation funds—and mandates stringent controls, continuous assurance, and timely reporting of material security incidents.
This standard requires organisations in scope to:
Maintain an information security capability commensurate with the threats they face
Protect information assets from compromise
Ensure clear accountability for security across internal teams and third-party service providers
APRA has made cyber resilience a top supervisory priority. This is primarily in response to the increasing pace and scale of attacks targeting the financial sector. Recent supervisory updates make clear that regulated entities can expect more intense scrutiny of their information security controls, deeper examinations of cyber weaknesses, and firmer enforcement when gaps are discovered. This shift reflects APRA’s view that cybersecurity incidents—especially those involving privileged access misuse or third-party compromise—pose a significant systemic risk to the broader financial system.
CPS 234 places strong emphasis on assurance, requiring entities to regularly test their controls and have their security posture independently reviewed. APRA is now more aggressively mandating these reviews and using the findings to drive remediation timelines. Organisations must not only implement adequate controls, but also demonstrate that those controls are effective, monitored, and continuously improved upon.
This means security teams need greater visibility across privileged accounts, third-party access pathways, and identity-related risks to meet APRA’s expectations as well as heightened regulatory scrutiny.
The following guidelines, policies, and procedures should be established in organizations for which the mandate applies. Note that while the security controls for each category are unspecified in the standard, each control should follow a maturity model to demonstrate a successful implementation by the organization.
CPS 234 is supported by APRA’s Prudential Practice Guide (CPG 234), which expands on the types of controls and practices expected from regulated entities. While not prescriptive, these attachments outline the core areas that financial institutions should address to build stronger, more resilient information security capabilities.
Organizations can use BeyondTrust solutions to help strengthen many of these controls—particularly those tied to identity, privileged access, monitoring, and third-party oversight.
Attachment A highlights foundational security principles, such as least privilege, layered defenses, timely incident detection, segregation of duties, and strong monitoring of remote access for employees, contractors, and vendors.
BeyondTrust Privileged Access Management (PAM) and Identity Security solutions can directly support these principles by enforcing least privilege across endpoints, securing privileged credentials, removing endpoint administrative rights, and controlling high-risk identity activities. It can be used to also govern third-party and remote access with granular permissions and provides full session monitoring and analytics to identify unusual behavior before it becomes a security incident.
Attachment B underscores the importance of equipping employees with the knowledge and tools to make secure decisions—especially around passwords, authentication, phishing, and data handling.
BeyondTrust solutions can strengthen these programs by eliminating common user risks: automating privileged password rotation, masking credentials from end-users via auto-injection, and supporting MFA integrations to prevent compromised accounts becoming a full-blown breach.
Attachment C contains the most extensive guidance, outlining how organisations should manage identities, enforce least privilege, authenticate securely, control contextual access, govern entitlements, and maintain the full lifecycle of privileged accounts.
BeyondTrust solutions can help organizations align closely with these expectations by centralising privileged credential management, implementing granular privilege elevation and delegation, removing admin privileges on workstations without impacting user productivity, securing third-party remote access, providing visibility into privileged sessions, and integrating with IAM and IGA systems to ensure access is only granted when necessary—and only for the finite duration required.
Attachment H emphasizes the need for comprehensive reporting, audit trails, and visibility into access activities, incidents, and control effectiveness.
BeyondTrust solutions provide detailed session logs, credential analytics, centralised visibility into privileged activity, and automated reports that help teams demonstrate compliance, support internal audits, and satisfy APRA’s heightened expectations for security oversight and evidence quality.
The following threats and associated risk surfaces have been identified for mitigation based on the standard.
BeyondTrust Password Safe™ centralizes the discovery, onboarding, and lifecycle management of privileged accounts and credentials for humans and machines (AI agents, RPA workflows, etc.). Ensure credentials (passwords, secrets, keys, etc.) are rotated automatically, stored securely, and never shared or exposed to users. By masking passwords, enforcing role-based access workflows, and integrating with MFA and AD/Azure AD, Password Safe strengthens authentication controls and ensures access is only granted when there is a valid business need.
Password Safe reduces identity-based breach risk for both humans, machines, and AI. The product supports timely incident investigation through full audit trails, and simplifies access governance—key outcomes APRA expects when reviewing an organization’s security posture.
BeyondTrust Endpoint Privilege Management enforces least privilege across Windows, macOS, Unix, and Linux environments by granting “just enough” privilege for applications and tasks to operate as designed. Fine-grained elevation policies ensure users can operate without full admin rights, while application control and Trusted Application Protection block malicious scripts, risky macros, and unauthorized processes.
By limiting unnecessary privileges and stopping lateral movement, organizations drastically reduce the attack surface and improve compliance with CPS 234’s requirements for proactive application control, strong security principles, and effective mitigation of unauthorized application risks.
BeyondTrust provides secure remote access via our Privileged Remote Access and Remote Support products.
Privileged Remote Access delivers identity-secure, just-in-time access to authorized systems across cloud, on-premises, and OT environments. It eliminates risky VPN connections for third-party vendors by injecting credentials securely and enforcing granular, zero-trust access controls tied to business need.
Remote Support extends these protections to technical support and IT operations teams, enabling secure attended and unattended access to servers, workstations, network devices, kiosks, and more. It ensures service desks can troubleshoot and resolve incidents efficiently while maintaining complete visibility and auditability of all remote activity.
Together, Beyondtrust secure remote access capabilities provide tightly controlled, fully monitored pathways for vendors, contractors, call centers, and remote employees—one of the highest-risk areas highlighted in CPS 234. Access can be limited by system, session type, time window, or a specific command, with every session monitored, recorded, and auditable. Credentials remain hidden from users at all times to prevent exposure or misuse. These capabilities help organizations ensure service providers meet their security standards, reduce supply-chain and outsourced-access risk, and deliver the level of oversight APRA expects when regulating access to critical information assets.
BeyondTrust Identity Security Insights® consolidates visibility and intelligence across all identities. See and understand all the escalation pathways of identities, as well as user activity, assets, misconfigurations, and identity-related threats in one place. Identity Security Insights correlates privileged behavior with known risks, flags anomalies, and provides actionable recommendations—helping teams detect issues earlier and prioritize the controls that matter most, while providing mappings to MITRE ATT&CKTM and NIST 800-53 standards.
With streamlined reporting, unified visibility, and clear evidence of how identities are governed, organizations can more easily demonstrate audit readiness and meet APRA’s rising expectations for continuous assurance, measurable effectiveness, and holistic identity security across the entire enterprise.
“Overall, BeyondTrust has been able to meet all our criteria for the delivery of a PAM solution. These include compliance, cloud adaptability, minimal operational complexity, tailored plugin capabilities, pricing consideration and the availability of strong local support."
—Mateen Sayyed, Regional Head of Identity & Access Management, Ninja Van Group
“BeyondTrust Endpoint Privilege Management really is a perfect solution. Not only does it implement least privilege, protect, and monitor our privileged accounts, it also allows us to maintain compliance with several regulations, which is hugely beneficial to us.”
—Orwill Sebastian, Project Manager, Zensar
“Thanks to BeyondTrust’s Privileged Account and Session Management (PASM) solution, we now have industry-leading password and access management capabilities. This ensures our core systems remain protected but also readily accessible to those who require it. The result is that we can offer support to our national network of franchisees who can meet their clients’ needs.”
—Ian Melton, Head of Security & IT Operations, Autoleague
