A new prudential standard, CPS 230, is set to come into effect on 1 July 2025, and for many holders of an Australian Financial Services Licence (AFSL), this means a significant step-up in their cybersecurity obligations. This is not just another compliance checkbox; the Australian Prudential Regulation Authority (APRA) has made it clear that there will be serious consequences for inaction, including increased monitoring, reporting, and in severe cases, fines or even the revocation of your AFSL.
For AFSL holders regulated by APRA, which includes a wide range of institutions in the banking, insurance, and superannuation sectors, the new Prudential Standard CPS 230 for Operational Risk Management introduces a more stringent and holistic approach to managing operational risks, with a significant focus on cybersecurity. A critical component of this is the mandated adherence to Prudential Standard CPS 234 Information Security, which sets a high bar for protecting information assets.
We have seen regulators enforce CPS 234 audits on financial services companies with little warning, uncovering significant gaps in their security controls and leading to major repercussions. With the introduction of CPS 230, the scrutiny is only set to intensify. The question you need to be asking is: are you ready?
Understanding the Cyber Security Impact of CPS 230
The overarching goal of CPS 230 is to bolster the operational resilience of APRA-regulated entities. It requires a proactive and comprehensive approach to managing all operational risks, with a specific emphasis on:
- Effective Internal Controls: You must identify, assess, and manage your operational risks with robust internal controls. This includes having a clear understanding of your operational risk profile and a defined risk appetite.
- Business Continuity Planning (BCP): A credible and regularly tested BCP is no longer a “nice-to-have” but a fundamental requirement. You need to be able to continue delivering your critical operations within tolerance levels, even during severe disruptions.
- Service Provider Management: The risks associated with your service providers are your risks. CPS 230 mandates a comprehensive policy for managing these relationships, including formal agreements and robust monitoring.
The Inextricable Link to CPS 234: Your Cyber Security Baseline
Crucially, CPS 230 explicitly integrates the requirements of CPS 234 Information Security. This means that as an APRA-regulated AFSL holder, you must demonstrate a mature and effective information security capability. Key technical requirements from CPS 234 that you need to have in place include:
- A Clear Definition of Roles and Responsibilities: The Board and senior management have ultimate responsibility for the entity’s information security.
- Maintaining a Strong Information Security Capability: This capability must be proportionate to the threats your information assets face. This extends to assessing the security capabilities of any third-party providers who manage your information assets.
- Implementing and Testing Controls: You must implement information security controls that are appropriate for the criticality and sensitivity of your information assets. These controls need to be systematically tested to ensure their effectiveness.
- Incident Response and Notification: Robust mechanisms to detect and respond to information security incidents in a timely manner are essential. Material incidents must be reported to APRA within 72 hours.
The Consequences of Non-Compliance: More Than Just a Slap on the Wrist
APRA has been clear about its expectations and the potential consequences for entities that fail to meet these standards. These can range from:
- Increased supervisory oversight and reporting requirements.
- The imposition of additional capital requirements.
- The development of a mandatory remediation program.
- In serious cases, fines or the potential for your AFSL to be impacted.
The time to prepare is now. Waiting for the 1 July 2025 deadline to approach is a risk your business cannot afford to take.
How Vertex Can Help You Prepare
Navigating the complexities of CPS 230 and CPS 234 can be a daunting task. At Vertex, we have extensive experience in assisting AFSL-holding companies to understand and implement these critical cybersecurity standards. Our team of experts can provide a range of services to help you meet your obligations, including:
- Cyber Security Consulting and Implementation: We provide customised cyber security help and expert consultants to check, improve, and implement the required CPS230 and CPS234 controls. Our managed services can provide tailored security advice and configuration implementation to ensure you are protected.
- Cyber Security Audits: We can conduct comprehensive audits aligned with frameworks like CPS234, ISO27001 and the NIST Cyber Security Framework to assess your current compliance with CPS 234.
- Penetration Testing: Our expert testers can identify vulnerabilities in your systems, applications, and networks, providing you with actionable recommendations in a clear and concise report to strengthen your defences.
- Policy and Procedure Development: We can assist you in creating and customising a suite of industry-leading policy and procedure templates to align with international cybersecurity standards, accelerating your pathway to certification.
- Business Continuity and Incident Response Planning: We can help you develop and test a robust BCP and incident response plan to ensure you are prepared for any eventuality.
The introduction of CPS 230 is a clear signal that cybersecurity is a top priority for Australian regulators. For AFSL holders under APRA’s purview, this is a call to action. Do not wait to be caught unprepared.
Contact Vertex today to discuss how we can help you navigate the new requirements and strengthen your cyber resilience. Visit our contact page or call us on 1300 2 CYBER (29237).
