APRA’s CPS 230 & CPS 234: Strengthening Operational & Cyber Resilience

Show Links

APRA is making big moves to tighten operational risk and cybersecurity resilience for financial institutions. In today’s episode, we’re diving into:

Topics Covered:

  • CPS 230 Operational Risk Management – New requirements for business continuity, vendor management, and risk oversight.
  • Why APRA rescinded its Cloud Outsourcing Paper – What this means for third-party IT providers.
  • CPS 234 Information Security – Why cyber resilience is now an APRA compliance requirement.
  • How businesses can prepare for July 2025 and beyond.

Relevant Links:

Episode Transcript

In today’s episode, we’re focusing on the Australian Prudential Regulation Authority’s (APRA) recent developments: the introduction of Prudential Standard CPS 230 on Operational Risk Management and the rescission of the 2018 Information Paper on Cloud Outsourcing. We’ll also discuss how this aligns with CPS 234, which governs information security. Welcome to the Don’t Be A Sitting Duck Podcast, I’m Leigh Kefford—let’s dive in.
APRA has introduced Prudential Standard CPS 230 to enhance the resilience of regulated entities against operational risks and disruptions. This standard mandates that entities effectively manage operational risks, ensure the continuity of critical operations during severe disruptions, and oversee risks associated with service providers. The approach to operational risk must align with each entity’s size, business mix, and complexity. Key requirements include the identification and management of operational risks through robust internal controls, maintaining critical operations within defined tolerance levels via a credible business continuity plan, and implementing a comprehensive service provider management policy with formal agreements and monitoring mechanisms.
CPS 230 is set to commence on 1 July 2025. (apra.gov.au) In light of CPS 230’s introduction, APRA has rescinded its 2018 Information Paper titled “Outsourcing Involving Cloud Computing Services.” This move reflects the comprehensive nature of CPS 230, which now encompasses formal supervisory coverage for entities with cloud service provider arrangements.
By consolidating guidance under CPS 230, APRA aims to streamline its prudential framework, reducing redundancy and ensuring that all operational risk management practices, including those related to cloud outsourcing, adhere to a unified standard. (apra.gov.au) While CPS 230 focuses broadly on operational risk management, APRA also enforces CPS 234, which specifically addresses information security requirements for APRA-regulated entities.
CPS 234 mandates that entities maintain information security capabilities in proportion to their risk exposure and continually assess the evolving threat landscape. Organisations must: Clearly define roles and responsibilities for information security governance. Identify and classify critical information assets, ensuring they are adequately protected. Implement controls to prevent, detect, and respond to information security incidents. Regularly test security controls to maintain resilience against cyber threats.
Ensure that third-party providers meet security requirements when handling sensitive data. CPS 234 highlights the increasing importance of cybersecurity within operational risk frameworks, aligning closely with CPS 230’s broader resilience objectives. As more businesses migrate to cloud-based solutions, integrating both operational and cybersecurity risk management is crucial to maintaining compliance and preventing data breaches. With the rescission of outdated cloud outsourcing guidance, organizations must now embed risk management within their core operational strategies, ensuring that both governance and cybersecurity controls are up to APRA standards.
  • Review and Align Compliance Strategies: Organizations should assess their existing risk management frameworks to ensure alignment with both CPS 230 and CPS 234.
  • Enhance Third-Party Risk Management: With CPS 230 reinforcing the need for robust service provider oversight, businesses should conduct comprehensive due diligence on cloud and IT vendors.
  • Strengthen Business Continuity Planning: Ensure that resilience measures and response strategies meet APRA’s requirements to prevent severe disruptions.
  • Conduct Regular Cybersecurity Audits: Continuous testing and assessment of cybersecurity controls will be necessary to comply with CPS 234 and to mitigate emerging threats.

That’s a wrap for today’s episode! Want more cybersecurity insights?

Head over to sittingduck.com.au for show notes, resources, and the latest updates.

Thinking about your business security? Here’s what to do next:

✅ Book your free Empower Systems Assessment to uncover vulnerabilities and learn how to strengthen your defences.

🎧 Listen to my audiobook, Sitting Duck – The Phone Call You Don’t Want to Receive—a real-world look at Business Email Compromise. Available now on Spotify and leading audiobook platforms.

Until next time—stay safe, stay informed, and don’t be a sitting duck!

Ready To Secure Your Business

Cyber threats are evolving every second—don’t wait until it’s too late. At National PC, we provide Empower Managed Services with built-in cybersecurity solutions to keep your business safe from data breaches, ransomware, and compliance risks.

🔐 Ready to take action? Visit NationalPC.com.au to learn how we can help safeguard your business with Empower SHIELD and our industry-leading cybersecurity solutions.

💡 Stay protected. Stay empowered. Get started today!

Other Episodes