CyberCorp Australia
APRA CPS 234 and CPS 230: Building Cyber and Operational Resilience in Australian Financial Services
Home/Latest Insights/Compliance
COMPLIANCE

APRA CPS 234 and CPS 230: Building Cyber and Operational Resilience in Australian Financial Services

CyberCorp Australia
Cybersecurity & GRC Team
16 April 202610 min read

Australian financial services regulators have never been more explicit: information security and operational resilience are not IT concerns — they are executive and board obligations. The Australian Prudential Regulation Authority's (APRA) twin standards, Prudential Standard CPS 234 Information Security and the newly commenced Prudential Standard CPS 230 Operational Risk Management, together form the most comprehensive regulatory framework for cyber and operational resilience that Australia's banking, insurance, and superannuation sectors have ever faced. For CISOs, risk officers, general counsel, Accountable Persons, and boards, understanding how these two standards interact — and where the accountability ultimately sits — is no longer optional.

CPS 234: The Foundation of Information Security Obligations

In force since 1 July 2019, CPS 234 establishes baseline obligations for all APRA-regulated entities to maintain an information security capability that is commensurate with the size, nature, and complexity of threats they face. It is deliberately outcomes-focused: APRA specifies what must be achieved, not precisely how to achieve it. This gives entities flexibility, but it also means that there is no safe harbour in procedural compliance alone.

Information Asset Identification and Classification

CPS 234 requires entities to maintain a thorough understanding of their information assets — what they hold, where they reside, who has access, and what their criticality is. This means maintaining a living asset register that spans both internally managed systems and those held or processed by third parties. The asset classification process is not a one-off exercise; it must be reviewed as the threat landscape, business model, and technology environment evolve. For many financial services entities, the practical challenge here is shadow IT and legacy systems that were never formally inventoried, let alone classified.

Control Implementation and Testing

Once assets are classified, CPS 234 requires entities to implement controls that are proportionate to the criticality of those assets. Critically, controls must be tested — not merely documented. APRA expects entities to conduct systematic testing of the effectiveness of their information security controls, with testing frequency and rigour scaled to the sensitivity of the assets being protected. Where testing reveals gaps, entities are expected to remediate them in a timely manner. Where remediation cannot occur promptly, APRA expects to be told.

Incident Notification to APRA

CPS 234 contains specific and time-bound notification obligations. An APRA-regulated entity must notify APRA as soon as possible and no later than 72 hours after becoming aware of an information security incident that has materially affected, or had the potential to materially affect, the entity or the interests of depositors, policyholders, beneficiaries, or other customers. A separate obligation applies to material control weaknesses: entities must notify APRA within 10 business days of becoming aware of a material information security control weakness that the entity expects it will not be able to remediate in a timely manner. These are not aspirational timeframes — they are hard regulatory deadlines, and late or inadequate notification attracts supervisory scrutiny.

Third-Party and Service-Provider Management

CPS 234 requires that where an information asset is managed by a third party, the regulated entity must assess the information security capability of that provider and ensure that controls are commensurate with the asset's criticality. Contractual arrangements must provide sufficient rights of oversight and audit, and entities remain accountable for the security of assets even when they have been outsourced. This obligation does not diminish simply because a vendor holds a security certification — entities must conduct their own due diligence and ongoing assurance.

CPS 230: Raising the Bar on Operational Resilience

CPS 230 commenced on 1 July 2025, replacing the previous outsourcing prudential standard and introducing a substantially elevated framework for operational risk management. Where CPS 234 focuses on information security, CPS 230 takes a broader view: it requires entities to be resilient to all forms of operational disruption, maintain critical operations within defined tolerance levels even under severe stress, and manage the risks arising from all material service providers — not just technology outsourcers.

Identifying Critical Operations

The starting point under CPS 230 is identifying which of an entity's operations are critical — that is, those whose disruption would materially impact customers, the entity's financial soundness, or systemic stability. This requires a structured analysis that goes well beyond existing business impact assessments. Entities must map their critical operations to the underlying processes, systems, people, and service providers that support them, and document the dependencies between each layer. For a bank, critical operations might include retail payment processing and home loan settlement. For a superannuation fund, they might include member contribution processing and benefit payments. The definition is entity-specific and must be defensible to APRA.

Tolerance Levels and Stress Testing

For each critical operation, CPS 230 requires entities to establish disruption tolerance thresholds — explicit statements of the maximum duration and extent of disruption that can be tolerated before customer, financial, or systemic harm becomes unacceptable. These thresholds must be approved by the board, embedded in business continuity plans, and tested annually against severe but plausible scenarios. Importantly, if a disruption to a critical operation exceeds its defined tolerance, the entity must notify APRA within 24 hours. This is a tighter timeframe than the 72-hour CPS 234 incident notification window, and it applies to operational disruptions whether or not they are caused by an information security incident.

Service-Provider Management Under CPS 230

CPS 230 substantially expands the regulatory perimeter for third-party risk. Where the previous outsourcing standard applied primarily to material outsourcing arrangements, CPS 230 requires entities to identify and manage the risks arising from all material service providers — a category that is defined broadly and that includes cloud providers, managed security services, payment processors, and technology platform vendors. Entities must maintain a service-provider register, conduct due diligence before entering material arrangements, and monitor provider performance and risk on an ongoing basis. Critically, regulated entities cannot contract out of their accountability: if a material service provider fails, the regulated entity remains responsible to APRA for the consequences.

How CPS 234 and CPS 230 Work Together

The two standards are complementary, not duplicative. CPS 234 governs the information security dimension of risk — the controls, testing, and notification obligations that protect information assets from cyber threats. CPS 230 governs operational resilience more broadly — the ability to sustain critical operations through any form of disruption, including but not limited to cyber incidents. Where they intersect most sharply is in third-party management: CPS 234 requires information security assurance over third parties that manage information assets, while CPS 230 requires operational risk management and business continuity assurance over all material service providers. An entity's vendor risk programme must satisfy both standards simultaneously.

In practice, a well-structured programme treats CPS 234 and CPS 230 as a layered defence. CPS 234 controls reduce the likelihood of cyber incidents and provide the detection and notification capability to respond when they occur. CPS 230 ensures that even when an incident materialises — or when a non-cyber disruption strikes — the entity can continue delivering its critical operations within tolerance. Together, they create a resilience posture that is genuinely end-to-end.

Board and Individual Accountability

Both standards place ultimate accountability at the board level, and this is not incidental — it is deliberate regulatory design. Under CPS 234, the board is responsible for ensuring the entity maintains an information security capability appropriate to threats faced. Under CPS 230, the board must approve the entity's risk appetite, the identification of critical operations, and the tolerance levels established for each. These are not delegable obligations in any meaningful sense: while management executes, the board owns the outcomes.

This accountability is further reinforced by APRA's Financial Accountability Regime (FAR), which came into force for the banking sector in March 2024 and extends to the insurance and superannuation sectors from March 2025. Under FAR, Accountable Persons — executives and directors with defined accountability for specific functions — face personal consequences for failures in their remit. APRA has explicitly connected CPS 234 compliance to FAR accountability, meaning that information security is now a named executive responsibility, not simply an IT department matter.

For boards, this regulatory environment demands a material uplift in cyber and operational risk governance. Board reporting must go beyond traffic-light dashboards: directors need to understand control testing results, remediation timelines, critical operation tolerance levels, and service-provider risk profiles in sufficient depth to exercise meaningful oversight. Where boards cannot demonstrate that they engaged substantively with this information, APRA's supervisory response will reflect that gap.

Mapping the Essential Eight to CPS 234 Controls

The Australian Signals Directorate's (ASD) Essential Eight is not explicitly mandated by APRA, but it is widely recognised — including by APRA itself — as a leading-practice framework that directly supports CPS 234 compliance. For entities seeking a structured approach to control implementation, the Essential Eight provides a practical roadmap.

The Mapping in Practice

  • Application control and application patching directly address CPS 234's requirement for controls proportionate to asset criticality and the vulnerability landscape.
  • Microsoft Office macro settings and user application hardening reduce the attack surface for phishing and malware — among the most common vectors for CPS 234-notifiable incidents.
  • Restricting administrative privileges and multi-factor authentication (MFA) target privileged access abuse, which is a leading cause of serious information security incidents in the financial sector.
  • Patching operating systems addresses infrastructure-level vulnerability management, a core CPS 234 control expectation.
  • Regular backups directly support both CPS 234 (asset availability and recoverability) and CPS 230 (business continuity for critical operations).

APRA does not prescribe a specific Essential Eight maturity level. Instead, entities are expected to define a target maturity level commensurate with their risk profile, the criticality of their operations, and the sophistication of the threat environment they face. For most APRA-regulated financial services entities, Maturity Level Two represents a credible minimum baseline; larger entities and those handling particularly sensitive data or facing advanced persistent threats should be targeting Maturity Level Three. The Essential Eight maturity model's structured progression gives boards and management a concrete, measurable framework for demonstrating continuous improvement — exactly the kind of evidence APRA expects to see in supervisory engagements.

A Practical Readiness Checklist

For entities assessing their current posture against CPS 234 and CPS 230, the following checklist provides a structured starting point. This is not exhaustive — it is a board-level diagnostic, not a substitute for a full gap assessment.

  • Information asset register: Is it current, classified by criticality, and inclusive of third-party-managed assets?
  • Control framework: Are controls proportionate to asset criticality, and is there a documented testing schedule with results recorded?
  • Incident response: Does your plan include clear escalation pathways to trigger the 72-hour APRA notification? Has it been tested in the last 12 months?
  • Material control weaknesses: Is there a process to identify, assess, and notify APRA of weaknesses that cannot be remediated promptly?
  • Critical operations: Have critical operations been formally identified and documented, with board approval? Are tolerance levels set for each?
  • Business continuity plan: Has the BCP been tested against severe but plausible scenarios in the last 12 months, as CPS 230 requires?
  • Service-provider register: Is it complete and current, covering all material providers across both information security (CPS 234) and operational risk (CPS 230) dimensions?
  • Vendor due diligence: Is there a documented process for assessing information security and operational resilience capability before entering material arrangements?
  • Board reporting: Do board papers include substantive information on control testing results, remediation progress, tolerance levels, and service-provider risk — not just summary dashboards?
  • FAR accountability mapping: Have CPS 234 and CPS 230 obligations been mapped to specific Accountable Persons, with documented accountability statements?
  • Essential Eight maturity: Has a target maturity level been formally set and approved? Is there a roadmap to achieve it, with progress tracked against milestones?

Turning Compliance into Competitive Advantage

There is a risk that CPS 234 and CPS 230 are approached as pure compliance exercises — a checklist to satisfy the regulator and then file away. That would be a significant missed opportunity. Entities that build genuine cyber and operational resilience — not just regulatory compliance — gain measurable competitive advantages in the Australian financial services market.

Institutional customers and distribution partners are increasingly conducting their own due diligence on the resilience posture of the entities they do business with. A demonstrated ability to maintain critical operations through disruption, backed by board-level governance and a mature control environment, is a meaningful differentiator when competing for wholesale relationships, institutional mandates, and large-employer superannuation arrangements. Equally, in an environment where APRA is actively exercising its supervisory powers and the Financial Accountability Regime creates personal consequences for executives, entities with robust programmes are materially less exposed to regulatory enforcement action, licence conditions, and reputational damage following incidents.

The most forward-thinking financial services organisations in Australia are not asking "what does APRA require?" They are asking "what does genuine resilience look like, and how do we demonstrate it?" The answer to the second question almost always satisfies the first — and delivers returns well beyond regulatory compliance.

Key Takeaways

  • CPS 234 (in force since July 2019) requires information asset classification, proportionate control implementation and testing, 72-hour incident notification to APRA, and ongoing third-party information security assurance.
  • CPS 230 (commenced 1 July 2025) requires entities to identify critical operations, establish board-approved tolerance levels, test business continuity plans annually, and manage all material service-provider risks — with a 24-hour notification requirement for tolerance breaches.
  • The two standards are complementary: CPS 234 addresses information security controls; CPS 230 addresses broader operational resilience. Third-party risk management must satisfy both simultaneously.
  • Board accountability is explicit under both standards, and is further reinforced by APRA's Financial Accountability Regime. Information security and operational resilience are named executive obligations, not IT department matters.
  • The ASD Essential Eight provides a structured, measurable path to satisfying CPS 234 control expectations. Most APRA-regulated entities should be targeting Maturity Level Two as a minimum, with larger and higher-risk entities targeting Maturity Level Three.
  • Genuine resilience — as opposed to box-ticking compliance — is a competitive differentiator in Australian financial services, reducing regulatory risk and strengthening institutional relationships.

Navigating the combined requirements of CPS 234 and CPS 230 demands a structured, evidence-based approach that spans governance, technology, operations, and third-party risk. CyberCorp's GRC specialists work with Australian financial services entities to design and implement regulatory compliance programmes that satisfy APRA's expectations and build lasting organisational resilience. To assess your current posture against CPS 234 and CPS 230, Schedule a GRC Assessment with our team today.

Back to Insights

Related Articles

Essential Eight in 2026: Moving from ML0 to ML3 — and What It Means for Your Budget
Compliance

Essential Eight in 2026: Moving from ML0 to ML3 — and What It Means for Your Budget

Why the ASD Essential Eight has become a baseline expectation for Australian organisations — and how to build a realistic maturity uplift roadmap.

ISO 42001: The First Global Standard for Responsible AI — and Why Australian Enterprises Should Care
Compliance

ISO 42001: The First Global Standard for Responsible AI — and Why Australian Enterprises Should Care

ISO/IEC 42001:2023 is the world's first AI management system standard. Here is what it requires, who is certifying, and why Australian organisations should act now.