The Australian Prudential Regulation Authority (APRA) introduced the CPS 234 prudential standard to set a clear benchmark for cybersecurity resilience. Complying with CPS 234 is a key step for organisations to protect sensitive information and build trust.
As businesses rely more on data-driven operations, protecting customers’ information — especially in non-production environments that are often overlooked — is more important than ever. In fact, according to our latest report, a shocking 60% of organisations have experienced a data breach or theft in non-production environments (up 11% from last year).
Let’s look at what this standard is, who needs to comply with it, and some challenges and solutions for meeting compliance at enterprise scale.
Table of Contents
What is Prudential Standard CPS 234?
CPS 234 is a cybersecurity standard introduced by the Australian Prudential Regulation Authority (APRA), Australia’s financial safety regulator. The goal of this standard is to strengthen the resilience of regulated entities against information security threats. It mandates robust controls for identifying, protecting, and monitoring sensitive data assets. This also covers non-production environments, where there can be fewer controls than in production environments.
Why is it Important?
CPS 234 is crucial because it ensures organisations can withstand and respond to cyber threats. It promotes accountability, risk management, and timely incident reporting, reducing the likelihood of data breaches and financial loss.
What’s more, if the Australian Securities and Investments Commission (ASIC) adopts similar measures, companies across all industries will need to step up their data protection strategies, focusing on areas like data masking and governance.
Who Needs to Comply?
In Australia, all entities regulated by APRA — including banks, insurers, and superannuation funds — must comply with CPS 234. Additionally, third-party service providers handling sensitive data on behalf of these entities are also subject to its requirements.
What are the Consequences of Non-Compliance?
Failure to comply with CPS 234 can result in regulatory penalties, reputational damage, and increased vulnerability to cyberattacks. APRA may also impose additional oversight or restrictions on non-compliant entities.
Back to topWhat Are the Key CPS 234 Requirements for Securing Non-Production Data?
CPS 234’s key requirements for non-production data are as follows:
Identification and Classification of Information Assets
Organisations must maintain an up-to-date register of information assets and classify them based on sensitivity and criticality.
Implementation of Security Controls
Security controls must be proportionate to the sensitivity of the data and the potential impact of a breach. For many organisations, this presents a problem in the development and testing space, or non-production.
The most effective way to protect sensitive data in non-production environments is to implement static data masking to irreversibly obfuscate it. Masking data this way ensures the real data doesn’t enter non-production, where its risk of exposure increases. Instead, static masking replaces sensitive data like names and account numbers with realistic yet fictitious equivalents so a dataset can still effectively be used in testing, analytics, and so on.
Testing of Controls
Entities must regularly test the effectiveness of their security controls to ensure they remain fit for purpose. This can include regularly scanning data sources being transferred into non-production to ensure they are being masked.
Incident Notification
Under CPS 234, APRA-regulated entities must report information security incidents to APRA as soon as possible, and no later than 72 hours after detection.
This requirement applies to any incident that materially affects, or has the potential to materially affect, the entity or the interests of its customers, either financially or non-financially.
Notification is also mandatory if the incident has been reported to other domestic or international regulators.
Back to topChallenges in Achieving CPS 234 Compliance at Enterprise Scale
Here are some of the top challenges I have seen companies face when trying to comply with CPS 234 at scale:
1. Managing Large Volumes of Data
Organisations often struggle to identify and classify vast amounts of data across disparate systems. Non-production often has a large number of unchecked data sources. Almost half of our survey respondents (45%) reported that for each dataset they have in production, they have 3-10 copies of that dataset in non-production.
This issue is compounded if teams don’t have tooling to manage the data going to these environments.
📘Related reading: How to Mitigate the Risks of Sensitive Data Sprawl
2. Protecting Data Across Sources and Environments
In a complex IT landscape, sensitive data is not confined to a single, on-premises data center. It is spread across a wide array of systems, including private clouds, public clouds, hybrid environments, and numerous Software-as-a-Service (SaaS) platforms.
This fragmentation makes it very hard to maintain consistent and robust security controls, as required by standards like CPS 234. Without a unified approach, ensuring that every copy of sensitive data is protected becomes nearly impossible without the right tools.
3. Third-Party Risk Management
Under CPS 234, an organisation's responsibility for protecting sensitive data extends beyond its own four walls. APRA mandates that regulated entities must take steps to manage the cybersecurity risks of using third-party vendors and service providers.
Partners, contractors, and cloud providers frequently handle or have access to an organisation's most sensitive information. Failing to secure this extended data chain can makes your organisation’s own security efforts ineffective, and it exposes you to risk.
The challenge is that organisations often lack direct control over the security measures implemented by their third-party partners. Simply handing them raw, sensitive production data creates a major security vulnerability.
4. Governance and Internal Oversight
Effective governance and internal oversight are fundamental pillars of the CPS 234 standard. APRA requires that the board of a regulated entity takes ultimate ownership of the organisation's information security posture. This means the board must be actively involved in setting the information security strategy, understanding the risks, and ensuring that sufficient resources are allocated to maintain compliance.
It is no longer acceptable for cybersecurity to be treated like a technical issue for the IT department to handle; it must be a core component of corporate governance.
Back to topDiscover Key Insights on Data Compliance and Security
Our 2025 report reveals more surprising findings from 280 enterprise leaders on rising data exposure risks, growing AI concerns, and the current state of data compliance solutions. We found that 60% reported data breaches in non-production. We also found that the volume of sensitive data continues to grow every year in these environments. Understanding these trends is crucial for shaping data privacy compliance at your organisation.
How Perforce Delphix Helps Enterprises Achieve CPS 234 Compliance
Perforce Delphix simplifies the path to compliance with standards like CPS 234 by providing powerful tools to identify, mask, and manage sensitive data across non-production. As we’ve discussed, non-production environments are often overlooked, but that doesn’t mean regulations do not apply to them. (In fact, 100% of the organisations we surveyed have data in non-production that is subject to data privacy regulations.)
Here are 4 key ways Delphix helps enterprise teams achieve compliance with CPS 234:
Automated Sensitive Data Discovery
Delphix scans structured and semi-structured data sources to identify sensitive fields using pre-built or custom templates.
Irreversible Data Masking
Delphix data masking replaces sensitive values with realistic yet fictitious data that makes it non-identifiable. Deterministic masking preserves the referential integrity of this data across different platforms and data sources.
Rapid Provisioning to Non-Production Environments
Masked data can be delivered instantly to development and test environments using Delphix’s data virtualisation engine. This allows multiple datasets to be created quickly and with a reduced storage footprint.
Audit and Reporting Tools
Built-in dashboards and logs provide visibility into masking activities and help teams demonstrate compliance. Gain full visibility of sensitive data and a single point of control for compliance so you can centrally control risks in non-production.
Centralized Policy Management
Define masking rules once and apply them everywhere — across databases, files, and hybrid or multi-cloud environments — to save time, mask at scale, and avoid the high risk of human error involved in manual masking.
Real-World Success Stories
Here are just a couple of stories that demonstrate how Delphix customers have used masking and virtualization to achieve compliance quickly and accelerate releases:
BECU: Reduced Data Risk Footprint
Boeing Employees’ Credit Union (BECU) significantly reduced its data risk footprint and fortified its data security standards with Delphix. The credit union was able to mask 680 million rows of sensitive data in just 15 hours, establishing a secure and agile testing infrastructure. By leveraging Delphix for data virtualization and masking, BECU can now deploy new products and enhancements up to twice as fast, providing greater value to its members without compromising security.
Sky Italia: Rapid GDPR Compliance
Sky Italia, a leading European media company, successfully met a tight GDPR compliance deadline in just five months by implementing Delphix. This strategic adoption not only ensured data privacy but also delivered substantial operational improvements. The company reduced its infrastructure footprint by over 90% and slashed operational costs by 30%, all while enhancing its test data management procedures to accelerate software releases and improve application quality.
UniSuper: Secured Sensitive Data and Improved Testing
UniSuper, a leading Australian superannuation fund, secured sensitive data while improving testing efficiency. By implementing Delphix’s data masking and automation capabilities, they reduced environment refresh times from six hours to under 60 minutes, enhanced security compliance, and achieved a 70% improvement in development team efficiency.
Back to topAchieve CPS 234 Compliance with Delphix Data Masking
Delphix delivers advanced data masking capabilities designed to help businesses achieve CPS 234 compliance and mitigate security risks. By automatically identifying sensitive data, such as names, emails, and financial details, and transforming them into realistic but non-identifiable values, Delphix ensures compliance while maintaining data integrity.
Related blog >> What Is Delphix?
Comply with APRA CPS 234 and Protect Sensitive Data
With Delphix, teams can define centralized masking policies and deploy them across the organisation to comply with APRA's CPS 234 standard. By transforming sensitive data into fictitious but realistic versions, Delphix eliminates risks of breaches in less secure non-production environments, where vast amounts of critical data often reside.
Integrate Masking with Virtual Data Delivery
Teams using Delphix develop applications 58% faster and protect 77% more data and environments through automated masking.* The Delphix DevOps Data Platform combines powerful masking with data virtualization, enabling enterprises to securely deliver masked data for development, testing, analytics, and AI. These virtual data copies behave like physical ones but use only a fraction of the storage and can be provisioned in minutes — boosting compliance without sacrificing speed.
Get Started with Data Masking for CPS 234 Compliance
Discover how Delphix can help your organisation meet CPS 234 compliance standards with fast and automated data masking solutions. Request a no-pressure compliance demo today to learn why enterprises trust Delphix for secure, compliant data management.
Comply with CPS 234 [Delphix Demo]
*IDC Business Value White Paper, sponsored by Delphix, by Perforce, The Business Value of Delphix, #US52560824, December 2024