<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=592417851957511&amp;ev=PageView&amp;noscript=1">

Australian Prudential Regulation Authority (APRA) to mandate SOC2 Compliance?

The current threat landscape is ever-changing. Coupled with maintaining privacy and ongoing security challenges that CISO’s and security managers face day to day, compliance requirements get more complicated when organisations partner with third-party businesses such as SaaS platforms and managed service providers.

Being SOC 2 certified can significantly bolster an organisation’s privacy and security posture, aiding in meeting compliance requirements. However, it can also be time-consuming, resource-intensive and costly. Lack of resources and time for such projects is a common challenge many businesses face, not to mention justifying the financial spend when complying with standards such as SOC 2.

What is SOC2 Certification?
Service Organization Control 2 (SOC 2) defines the criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy. SOC 2 was developed by the
American Institute of Certified Public Accountants (AICPA).

Will the Australian Prudential Regulation Authority (APRA) begin mandating SOC2 Compliance?

Our Governance, Risk and Compliance Team recently contacted APRA to discuss any future mandating of standards, specifically around requiring SOC 2 compliance, and APRA’s team responded with the following statement.

 ‘APRA requires regulated entities to evaluate the design of third party’s information security controls that protects the information assets of the APRA-regulated entity. These are referred to in paragraphs 21 and 22 of CPS 234.

 APRA’s guidance is provided, as you have already mentioned, via CPG 234. Please note APRA does not specify the manner in which this requirement is achieved.’

Source from APRAinfo.

So do your suppliers need to be SOC2 Compliant? The answer is no. . Although beneficial, it will not be mandated by APRA.

Important things to consider if you want to be SOC2 Compliant or are requesting SOC2 compliance from your suppliers

  • Evaluate the time and resources it will take to obtain SOC2 Certification.
  • SOC2 Compliance audits are a costly exercise, are you prepared for the audit, and do you or your supplier have the funding needed?
  • Only licenced Certified Public Accounts (CPAs) and audit firms approved by the AICPA can conduct the compliance audit.


If you’re not sure whether you need to be SOC2 Certified, or whether you should be demanding SOC2 compliance from your suppliers, schedule a quick chat with our security consultants to discuss what’s best for your business requirements.