As cyber threats continue to evolve in scale and sophistication, APRA’s Prudential Standard CPS 234: Information Security remains a cornerstone of information security governance for Australian financial institutions. This standard sets out mandatory requirements to ensure regulated entities maintain strong, proportionate, and resilient information security capabilities.
Supporting CPS 234 is the Prudential Practice Guide CPG 234, which provides practical guidance, examples, and risk management considerations to help entities interpret and implement CPS 234 effectively. While CPS 234 defines what must be done, CPG 234 focuses on how it can be achieved in practice.
Together, both documents emphasise defence-in-depth, strong preventative controls, continuous monitoring, and demonstrable assurance. All areas where OPSWAT’s threat prevention and zero-trust solutions can play a key enabling role.
CPS 234 and CPG 234: How They Work Together
- CPS 234 is enforceable and outcome-based, requiring entities to maintain an information security capability that is appropriate to their environment and the criticality of their data and assets.
- CPG 234 is non-binding guidance that expands on CPS 234, offering examples of good practice across governance, control implementation, testing, and incident management. Also, by encouraging preventative, detective, and corrective controls, with an emphasis on blocking threats as early as possible.
CPG 234 repeatedly stresses:
- layered preventative controls,
- reducing attack surface at entry points,
- controlling data flows and endpoints,
- continuous control testing and assurance,
- and practical evidence to support Board and regulatory oversight.
These themes align closely with OPSWAT’s “Trust No File, Trust No Device” philosophy.
How OPSWAT Can Help Secure APRA-Regulated Institutions
OPSWAT’s MetaDefender Platform delivers layered preventative controls across multiple attack vectors:
Multiscanning and Deep CDR™ Technology
CPG 234 highlight the importance of implementing multiple layers and types of controls such that if one control fails, other controls limit the impact of an information security compromise.
OPSWAT uses multiple scanning technologies to provide deep, defence-in-depth file inspection. It leverages 30+ anti-malware engines with signatures, heuristics, machine-learning detection, AI threat detection engine, alongside file reputation and hash analysis for rapid classification of known threats.
For unknown and zero-day attacks, the Deep CDR™ Technology removes active or malicious content and rebuilds files into a safe, usable format. Applying the principle of ‘never trust, always identify’.
Secure File and Data Transfers
CPG 234 encourages strong controls over data movement between systems, third parties, and trust zones. OPSWAT inspects and sanitises files at gateways and transfer points, helping protect data confidentiality and integrity. MetaDefender ICAP can provide scanning of data in transit via various networking devices.
Products and Services that are being hosted online by various institutions in the financial sector can leverage MetaDefender’s REST API and in combination with MetaDefender Storage Security to secure file uploads.
Vulnerability and Software Risk Assessment
CPG 234 calls for proactive identification of weaknesses. OPSWAT’s file-based vulnerability assessment capabilities help identify risky or outdated software before applications are deployed into the environment. Additionally, OPSWAT’s SBOM (Software Bill of Materials) can help secure application development via the DevOps methodology.
These controls help demonstrate that information security capability is commensurate with risk, as required by CPS 234.
Strengthening Identity and Access
Both CPS 234 and CPG 234 highlight the risks posed by unmanaged devices, remote access, and third-party connections. CPG 234 specifically encourages validating endpoint security posture before granting access to systems and data.
OPSWAT’s MetaDefender Access enables device-aware, zero-trust access controls by assessing endpoint posture. It includes checks such OS level, security software, encryption, geolocation, vulnerabilities, and patch management, before access is granted.
This supports:
- stronger access control enforcement
- reduced exposure from insecure or unmanaged endpoints
- and better alignment with CPG 234’s recommended practices for remote access and third-party connectivity.
Visibility of Supply Chain Risks
CPS 234 requires entities that develop software in-house, to consider security controls as part of the software development lifecycle (SDLC). CPG 234 reinforces this by stressing the need for an ongoing approach to software security. This includes identifying requirements, design, selection and configuration, and what standards and guidelines to adhere to.
OPSWAT’s MetaDefender Software Supply Chain assists application developers to validate that the source code, libraries and third-party dependencies have been screened and cleared of any malicious components, vulnerabilities or embedded secrets left that may be left unintentionally within the source code.
This directly supports APRA’s expectations on software security and supply chain risk management.
- Enhancing software security controls across the SDLC.
- Using SBOM for increased supply chain visibility.
- Embedding within the DevOps workflow.
- Supporting risk-based assessments for reporting and governance.
Increasing the speed of Incident Detection, Response, and Reporting
CPS 234 mandates timely detection and notification of information security incidents. CPG 234 expands on this by encouraging strong integration between preventative controls, monitoring platforms, and response processes.
While OPSWAT is not a SIEM or SOC platform, it integrates with broader security ecosystems by:
- feeding threat intelligence and detection outcomes into SIEM and SOAR tools,
- enriching incident context with file, device, and vulnerability intelligence, and
- enabling faster investigation and response.
OPSWAT’s MetaDefender Aether is 20x faster than traditional sandbox technologies when performing malware analysis. This can help SOC teams to improve their response times when detecting and responding to security incidents.
It uses a combination of:
- Threat Reputation - Checks URLs, IPs, & domains in real time or offline to detect malware, phishing, & botnets. Blocks reused infrastructure & commodity malware and forces attackers to rotate basic indicators.
- Dynamic Analysis - An emulation-based sandbox (analyses malware by interpreting its execution at an instruction level, without running a full virtual machine) analyses files to detect hidden threats like ransomware. Exposes artifacts, loader chains, script logic and evasion tactics.
- Threat Scoring - Behavioural indicators, reputation context, and detection logic is correlated to assign a confidence-based risk score—helping SOC teams to prioritise what truly matters. It is designed to detect and analyse malicious behaviours, focusing on key tactics within the MITRE ATT&CK framework.
- Threat Hunting - The Threat Pattern Correlator search connects unknown samples to known malware families, infrastructure, and campaigns, enabling proactive hunting and retroactive analysis.
OPSWAT’s MetaDefender Network Detection & Response (NDR) platform provides high-throughput DFI (Deep File Inspection) for threat and data leakage prevention, detection, and hunting. MetaDefender NDR aims to automate and scale the expert knowledge of a typical SOC analyst. MetaDefender NDR pairs Deep File Inspection with unique threat intelligence sources, and a seasoned signature development team augmented by machine learning.
The solution mainly focuses its scrutiny to identify and analyse files downloaded over the web or received via email to detect malicious code. MetaDefender NDR collects all HTTP and SMTP network traffic sessions from taps, spans, or packet capture files, and performs Deep File Inspection on the captured data.
DFI gives analysts a quick way to filter malicious content out and generate alerts on it or perform threat hunting to triage suspicious content for more detailed analysis.
Unlike most Network Intrusion Detection Systems (NIDS), MetaDefender NDR specialises in analysing a combination of file attributes, file content and network characteristics in their native format. Hidden data, such as embedded and/or compressed streams in file formats, which are commonly used to evade detection performed by NIDS, are extracted and normalised to maximize the effectiveness of the signature-based scanning methods that are performed.
Additionally, MetaDefender NDR, improves speed not by a single feature, but by removing friction across the SOC workflow:
- Detect earlier (deep inspection + threat intel)
- Investigate faster (context-rich, correlated data)
- Respond quicker (automation + integrated actions)
- Report efficiently (SIEM-ready outputs)
Essentially, MetaDefender NDR reduces dwell time and analyst workload simultaneously turning detection into immediate, actionable response rather than delayed investigation.
Translating APRA’s Information Security Standards into Practical Security Outcomes
CPS 234 defines the regulatory outcomes APRA expects, while CPG 234 provides the blueprint for achieving them in practice. Together, they emphasise proactive risk reduction, layered controls, continuous testing, and demonstrable assurance.
OPSWAT’s threat prevention, zero-trust access, and supply chain assessments help organisations operationalise these expectations by:
- reducing attack surface at key entry points,
- strengthening preventative controls aligned to better practice,
- generating audit-ready evidence of control effectiveness, and
- and supporting resilient incident detection and response processes.
For APRA-regulated entities, aligning OPSWAT to help assist with implementing the information security standards, it helps bridge the gap between compliance obligations and real-world cyber resilience.
If your organization operates under APRA, get in touch and see how OPSWAT can support compliance.
