The Australian Prudential Regulation Authority (APRA) is instrumental in maintaining the financial stability and security of institutions across Australia. Two pivotal prudential standards, CPS 230 and CPS 234, focus on essential elements of operational resilience and information security. Grasping the connection between these standards is crucial for financial entities aiming to stay compliant and boost their operational effectiveness.
Important update: CPS 230 came into effect on 1 July 2025. If your organisation is APRA-regulated, compliance obligations are now active. Non-significant financial institutions (non-SFIs) have an extension on certain requirements until 1 July 2026. Read on for a full breakdown of what has changed, what is still to come, and what Insicon Cyber recommends you do now.
APRA CPS 230 focuses on the operational resilience of financial institutions, highlighting the importance of withstanding, responding to, and recovering from disruptive events. This encompasses business continuity, risk management frameworks, and testing resilience strategies across various scenarios. The standard not only prepares organisations for anticipated disruptions but also encourages the development of adaptive strategies for unforeseen circumstances. This proactive approach ensures that financial institutions can maintain critical operations, thereby safeguarding customer trust and the overall stability of the financial system.
On the other hand, CPS 234 focuses on information security management. This standard establishes a comprehensive framework for identifying and mitigating risks associated with information assets, fostering a culture of security, and ensuring that entities maintain robust defences against cyber threats. Emphasising a security-first mindset is essential in today's digital landscape, where cyberattacks are increasingly sophisticated and frequent. Organisations are encouraged to implement continuous monitoring and improvement processes, ensuring that their security measures evolve in tandem with emerging threats.
Both standards stem from APRA's commitment to fostering a resilient financial system.
An institution's ability to operate effectively during disruptions and its capability to protect sensitive information are interlinked.
Furthermore, these standards promote a holistic view of risk management, urging institutions to integrate operational resilience and information security into their overall governance frameworks. By doing so, organisations can create a more cohesive strategy that not only addresses compliance but also enhances their competitive advantage in a rapidly changing environment.
CPS 230 consolidates and replaces five existing prudential standards that many Australian financial institutions will be familiar with: CPS 231 (Outsourcing), CPS 232 (Business Continuity Management), SPS 232 (Business Continuity Management for superannuation), CPG 233 (Operational Risk), and CPG 231 (Outsourcing). This unification is significant. Rather than managing separate frameworks for outsourcing and business continuity, entities now operate under a single, unified operational risk standard. If your organisation has historically managed CPS 231 or CPS 232 compliance in silos, CPS 230 requires you to bring those workstreams together.
In addition to compliance, APRA CPS 230 and CPS 234 encourage financial institutions to engage in regular training and awareness programs for their staff.
The investment in human capital is essential, as employees play a critical role in both operational resilience and information security.
By fostering a culture of awareness and preparedness, organisations can empower their workforce to recognise potential threats and respond effectively, thereby minimising the impact of disruptive events.
Additionally, collaboration with third-party vendors and partners is highlighted, given that many financial institutions depend on external services that may pose vulnerabilities. Building robust relationships and maintaining clear communication channels can greatly improve an institution's overall resilience and security stance.
The main goal of CPS 230 is to ensure that entities are equipped to manage operational disruptions while sustaining essential services. This entails outlining key resilience measures, such as detailed incident response plans and continuity management systems. By implementing these frameworks, organisations can more effectively address unforeseen challenges, including cyberattacks, natural disasters, or technological failures, which might otherwise cause significant service interruptions.
Additionally, CPS 230 encourages institutions to regularly assess their operational risks and review their resilience strategies. This ongoing evaluation aids in the proactive identification of vulnerabilities that could jeopardise essential operations during crises. Institutions are urged to adopt a culture of continuous improvement, where lessons learned from past incidents inform future preparedness efforts. This iterative process not only enhances the resilience of the organisation but also fosters a more robust risk management framework that can adapt to the evolving landscape of threats.
Ultimately, the intent is to safeguard not only the institution but also the stakeholders who depend on its services, thus contributing to a stable financial sector. By prioritising resilience, organisations can instil confidence among clients and investors, reassuring them that their interests are protected even in the face of adversity. Furthermore, CPS 230 emphasises the importance of collaboration among institutions, regulators, and industry stakeholders, promoting a collective approach to operational resilience that strengthens the entire financial ecosystem.
Moreover, the implementation of CPS 230 requires entities to invest in training and awareness programs for their employees.
By equipping staff with the knowledge and skills necessary to respond effectively to operational disruptions, organisations can ensure a swift and coordinated response.
This human element is crucial, as the effectiveness of incident response plans often hinges on the preparedness and agility of the personnel involved. Regular drills and simulations can help reinforce these skills, creating a workforce that is not only aware of potential risks but also adept at executing the strategies laid out in their continuity management systems.
One of the most operationally significant obligations introduced by CPS 230 is the requirement for APRA-regulated entities to maintain and submit a Material Service Provider (MSP) register. A material service provider is any provider your organisation relies upon to deliver a critical operation, or whose arrangement exposes you to material operational risk.
APRA released its MSP register template in October 2024, and the first completed registers were required to be submitted to APRA by 1 October 2025. This register must be submitted annually going forward. In June 2025, APRA also released electronic notification forms for entities to use when reporting material events and tolerance breaches under CPS 230.
From a supervisory standpoint, APRA has made clear that it will use MSP register data actively. Entities that appear to be outliers in terms of their service provider arrangements can expect heightened scrutiny. If your organisation has not yet submitted its first register, or is unsure whether your register accurately reflects your critical operations, Insicon Cyber's Managed Compliance Services can help you get across the line.
Source: APRA Operational Risk Management page
In December 2025, APRA released a consultation letter proposing targeted amendments to CPS 230 to address a practical challenge that many Australian banks, superannuation funds, and insurers have raised since the standard went live. The issue relates to non-traditional service providers (NTSPs), which are market-mandated providers such as stock exchanges, payment schemes, and clearing and settlement facilities.
Because these providers typically do not offer negotiable contracts, applying CPS 230's contractual and service level obligations to them has been difficult in practice. The proposed amendments would create a defined list of NTSPs that are exempt from certain contractual requirements under paragraphs 54, 55, 56(d), 57, 58(a) and 58(c) of CPS 230, while all other risk obligations, including continuity planning, ongoing monitoring, and risk management, would continue to apply.
The consultation closed on 30 January 2026, and APRA has committed to finalising the amendments before the 1 July 2026 compliance deadline for service provider contracts. If your organisation has arrangements with stock exchanges, payment schemes, or other market infrastructure providers, this amendment is directly relevant to your compliance programme.
Source: APRA Targeted Amendments to CPS 230
CPS 234 aims to protect the integrity and confidentiality of information through robust security measures. Its objectives include establishing a comprehensive information security framework that encompasses policy development, risk assessment, and proactive threat management.
The standard requires financial institutions to identify information security incidents promptly and to implement effective responses without delay. Regular training and awareness programs are also mandated to cultivate a culture of security within the organisation.
In essence, CPS 234 seeks to ensure that all financial entities can respond to cyber security threats and vulnerabilities, thus protecting consumer and institutional data alike.
In June 2025, APRA issued a notably direct letter to the board chairs of all registrable superannuation entity (RSE) licensees, reminding them of their binding obligations under CPS 234. The trigger was a pattern of credential stuffing incidents across the superannuation sector, which exposed persistent weaknesses in authentication controls.
APRA's message was unambiguous: there is a gap between what the standard requires and what many trustees currently have in place, and APRA has run out of patience waiting for voluntary uplift. All RSE licensees were required to complete the following actions by 31 August 2025:
This last point is significant. APRA's explicit connection of CPS 234 compliance to FAR accountability means that information security is no longer solely a technical or operational matter. It is a named executive accountability. For boards and senior leaders at Australian financial institutions, the question "who is accountable for our CPS 234 compliance under FAR?" now requires a clear, documented answer.
Certain RSE licensees directly affected by credential stuffing incidents were also required to undertake a special purpose engagement, rather than the general self-assessment, to assess the adequacy of their authentication controls specifically.
Source: APRA: For Action, Information Security Obligations and Critical Authentication Controls
When comparing CPS 230 and CPS 234, a few distinct differences and similarities emerge. Both standards share a foundation in risk management and resilience, yet they target slightly different arenas. CPS 230 focuses on overall operational resilience, whereas CPS 234 zeroes in on information security.
Despite the differences, there is a notable intersection: effective information security contributes to operational resilience and vice versa. For instance, an institution that has robust information security measures in place may be better equipped to maintain its operations during a cyber incident.
Therefore, while targeting different aspects, both CPS 230 and CPS 234 are integral to a bank's risk management framework, emphasising a holistic approach to resilience and security.
It is also worth noting that APRA has clarified that an information security incident reported under CPS 234 does not need to be separately reported under CPS 230. The two notification obligations do not overlap, which simplifies incident reporting for regulated entities managing both standards simultaneously.
One of the most common questions Insicon Cyber receives from Australian and New Zealand-based financial institutions relates to which obligations apply to them and by when. The following summarises the current compliance timeline.
| Date | Obligation | Who it applies to |
|---|---|---|
| 1 July 2025 | CPS 230 comes into full effect (all core requirements) | All APRA-regulated entities |
| 1 October 2025 | First Material Service Provider register due to APRA | ADIs, superannuation trustees, insurers |
| 1 July 2026 | Business continuity and scenario analysis requirements commence; service provider contract uplift deadline; non-SFI full compliance deadline; finalisation of NTSP amendments | Non-SFIs; all entities with existing MSP contracts |
| 2027 to 2028 | Business-as-usual ongoing supervision; possible consultation on a formal CPS 230 reporting standard | All APRA-regulated entities |
Non-significant financial institutions (non-SFIs), broadly those that are not authorised deposit-taking institutions with total assets above AUD $20 billion, are entitled to a 12-month extension on the business continuity and scenario analysis requirements. However, those entities must continue to comply with the legacy CPS 232 or SPS 232 standards in the interim. Non-SFIs may elect to transition in full ahead of the July 2026 deadline if they are ready to do so.
Source: APRA Response to Submissions: CPG 230 Operational Risk Management
To effectively align with both CPS 230 and CPS 234, financial institutions across Australia and New Zealand should adopt a few best practices:
By following these practices, institutions can ensure they meet the stringent requirements set forth by APRA in both standards while building a genuinely more resilient organisation.
As the financial landscape evolves, so too does APRA's regulatory posture. The authority has moved from broad consultation to active supervision, and from guidance to enforcement. Australian and New Zealand financial institutions should be tracking not just the standards themselves, but the supervisory signals APRA is sending through its letters and corporate plan commitments.
In a series of letters to all APRA regulated entities in June and August 2024, Alison Bliss, General Manager, Operational Resilience in their Cross Industry Division, called out the need for all entities to "remain vigilant and proactively implement strategies to mitigate the risk and impact of potential cyber-attacks".
In June, one area where APRA identified vulnerabilities was the implementation of data backups to prevent data loss. Regular backups are a critical component of the Essential Eight cyber mitigation strategies, and a baseline requirement of CPS 234. However, APRA's supervisory activities revealed that, despite many entities having backup procedures in place, there are common issues that can hinder the effectiveness of these backups in system restoration during an incident.
The August 2024 letter highlighted several common weaknesses in cyber resilience among banks, superannuation funds, and insurance companies. These weaknesses primarily focused on three key areas:
As covered in the CPS 234 section above, APRA's June 2025 letter to RSE licensees marked a significant shift in tone. This was not a guidance letter or an industry update. APRA used the word "action" in the title deliberately. Trustees that received the letter were required to perform specific compliance actions by 31 August 2025, with direct consequences for those that did not. The letter also explicitly tied CPS 234 obligations to FAR accountability, making information security a named executive responsibility for the first time in such direct terms.
For APRA-regulated entities in Australia, the combined signal from these letters is clear: supervisory patience for known weaknesses, whether in backup integrity, privileged access, authentication controls, or configuration management, is now exhausted. APRA expects to see faster and more decisive remediation.
APRA has published a three-year supervision programme for CPS 230 compliance, which provides Australian and New Zealand financial institutions with an unusually transparent view of what to expect from the regulator over the coming years.
The prospect of a formal reporting standard from 2028 is a significant signal. It suggests APRA is moving toward a model where operational risk posture is disclosed systematically, not just when something goes wrong. Organisations that build strong data collection and reporting capabilities now will be far better positioned when that standard arrives.
Source: MinterEllison: APRA's Final Guidance on CPS 230 | Corrs: New Insights for CPS 230 Compliance
Yes. CPS 230 is a binding prudential standard that applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers, and registrable superannuation entity (RSE) licensees. It came into effect on 1 July 2025 for all entities, with non-SFIs receiving an extension on business continuity and scenario analysis requirements until 1 July 2026.
CPS 230 covers the broader management of operational risk, including business continuity, critical operations, and third-party service provider management. CPS 234 focuses specifically on information security, covering how entities protect their information assets against cyber threats. The two standards are complementary: strong information security under CPS 234 contributes directly to operational resilience under CPS 230. APRA has confirmed that an incident notified under CPS 234 does not need to be separately reported under CPS 230.
A material service provider (MSP) is any provider your organisation relies upon to deliver a critical operation, or whose arrangement exposes the entity to material operational risk. Importantly, not every arrangement with an MSP is itself a material arrangement. Only those arrangements that are critical to your operations or introduce material risk are subject to the full contractual and service level requirements under CPS 230.
Non-significant financial institutions must comply with all CPS 230 requirements by 1 July 2026. Specifically, the deferred requirements relate to business continuity planning and scenario analysis. In the interim, non-SFIs must continue to comply with the existing CPS 232 or SPS 232 standards as applicable.
Yes. CPS 234 applies to all APRA-regulated entities, including RSE licensees (superannuation trustees). APRA's June 2025 letter made explicitly clear that superannuation funds are expected to meet all CPS 234 requirements, with particular attention to authentication controls and multi-factor authentication. APRA also expects RSE licensees to have nominated their Financial Accountability Regime (FAR) accountable person(s) for CPS 234 compliance.
NTSPs are market-mandated providers such as stock exchanges, payment schemes, and clearing and settlement facilities. Because these providers typically do not offer negotiable contracts, APRA is consulting on targeted amendments to CPS 230 to clarify how the standard's contractual obligations apply to them. These amendments are expected to be finalised before 1 July 2026. All other CPS 230 obligations, including monitoring and continuity planning, continue to apply to NTSP arrangements.
FAR requires APRA-regulated entities to nominate accountable persons for key responsibilities, including operational resilience and information security. APRA's June 2025 letter to RSE licensees specifically required entities to identify which Accountable Person(s) under FAR hold responsibility for CPS 234 compliance. This effectively means information security is now a named executive accountability, not just an IT or risk function responsibility. Boards and senior executives at Australian financial institutions should ensure their FAR accountability maps clearly cover both CPS 230 and CPS 234 obligations.
Insicon Cyber is your strategic partner for navigating APRA CPS 230 and CPS 234 compliance, offering tailored solutions that encompass comprehensive risk assessments, policy development, and business continuity planning. With our expertise, organisations across Australia and New Zealand can enhance their operational resilience and cyber security posture while ensuring alignment with regulatory requirements such as the Essential Eight or ISO 27001. From board-level training programs to Material Service Provider register development, ongoing compliance monitoring, and CISO-as-a-Service offerings, Insicon Cyber empowers organisations to effectively manage risks and safeguard critical operations in an increasingly complex regulatory landscape.
Whether you are a significant financial institution navigating APRA's active supervision programme, a non-SFI working toward your July 2026 deadline, or a superannuation trustee responding to APRA's June 2025 action letter, Insicon Cyber can help you build a compliance posture that is both audit-ready and genuinely resilient.