How to Prepare for APRA CPS 230 Regulations

By Kyle Gibson, Head of Corporate Finance

Understand what APRA CPS 230 means for your organization, and how to get compliance-ready by the July 2025 deadline.

If you work for an Australian business in the financial services industry, you’ve likely already heard of the Australian Prudential Regulation Authority (APRA). You may also have heard that a new set of APRA regulations, CPS 230, will become mandatory for all APRA-regulated companies to comply with as of 1 July 2025.

If these regulations are set to impact your business, here’s what you need to know – and how you can prepare.

What is APRA CPS 230?

The financial services industry has become increasingly reliant on digital services to keep services fast, widespread, and reliable. But what happens if those services go down?

APRA’s new prudential standard is all about supporting operational risk management and network diversity. Combining previous regulatory standards like CPS 231 (outsourcing) and CPS 232 (business continuity management), CPS 230 raises the bar for how operational risks and third-party setups need to be managed to protect uptime and service reliability.

Through mandating a thorough risk management approach to digital services (including cloud, networking, and data center services), these new regulations are expected to:

• help companies identify weaknesses in their existing operational risk controls to improve their resilience
• prepare companies to respond effectively to severe disruptions, minimizing impact on customers and protecting business continuity
• guide businesses to choose cloud, networking, and managed service providers that provide assurance of operational risk management with strong SLAs.

While these regulations come into effect on 1 July 2025, businesses have until 1 July 2026 to complete their transition to full CPS 230 compliance, including contracts with their service providers.

Why is APRA introducing CPS 230?

As businesses become increasingly reliant on more third-party cloud, networking, and data center services, the risk of operational downtime increases while the severity of impact grows.

The disruptions leading to this downtime can be caused by any number of factors, including:

• cyberattacks
• power outages
• natural disasters
• supply chain failures
• network outages.

According to APRA Chair John Lonsdale, “Disruptions to financial services can cause a major detrimental impact to the people who rely on them to pay bills, recover from financial loss, or support themselves in retirement.”

“The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur.”

Who is APRA CPS 230 for?

APRA CPS 230 impacts all APRA-regulated companies. This includes:

• authorised deposit-taking institutions like banks, building societies, and credit unions
• a variety of insurance companies, including general insurers, reinsurers, life insurers, and private insurers
• a large part of the superannuation industry.

International companies will only need to make their Australian branches compliant, although this shift is a great opportunity for global enterprises to audit the operational health of all their branches and headquarters.

How to become APRA CPS 230 compliant

To avoid regulatory action from APRA and to get a more resilient business network, here’s how your IT team can prepare for the upcoming APRA CPS 230 regulations.

Review your risk management frameworks

Your company’s risk management frameworks need to be more than just policies on paper – they should be comprehensive, actionable, and tied to real-world processes.

To align your operational risk management practices with CPS 230 requirements, your frameworks need to be proactive rather than reactive, and include the following:

• A comprehensive risk taxonomy that considers internal processes, people, external events, and single points of failure.
• Control registers that outline how each risk is identified and mitigated, including who owns each control, how each procedure will be tested, how risks will be monitored, and how failures will be escalated.
• A board-approved operational risk appetite which includes metrics and thresholds that identify your acceptable and unacceptable levels of risk – for example, your maximum time tolerance for a service platform outage.
• A list of all material service providers with an assessment of the risks present in those relationships as well as contractual arrangements, monitoring practices, and exit/transition plans. Consider cloud, data center, and network vendors – if their failure can impact your operations, they’re in the scope of your framework.
• A clear outline of risk management roles and responsibilities for your board and board risk committee, senior management, risk owners, and control owners.
• Board and committee minutes that demonstrate regular engagement with the framework, as well as training and awareness of effective risk management among wider staff.

A risk management framework is a living, breathing document. Schedule to review and improve your framework at least annually, and test it regularly to make sure it translates in a real-world scenario.

Develop and regularly test a Business Continuity Plan

Your Business Continuity Plan (BCP) is a formally documented strategy that outlines how your business will continue operating after a disruption, with a granular and descriptive list of actions you will take and people involved when an issue actually occurs. While your risk management framework is your “how can we prevent things from going wrong?” guide, your BCP is your “what do we do if something does go wrong?” guide.

Depending on the size and complexity of your business, a BCP may include the following information:

• Clear identification of which services and functions are essential to keep running, supporting prioritization.
• Recovery time objectives (how quickly operations must be restored) and recovery point objectives (how much data loss is acceptable).
• A map of dependencies that would be impacted by a disruption.
• A clear explanation of how critical operations will continue during different disruption scenarios, including backup systems and providers, alternate processes, failover procedures, and staff reallocation.
• A defined response team with roles covering plan activation, communications, and critical process signoffs.
• An outline of who to contact during an incident and how they can be reached, including templates for effective communication.
• A description of how the BCP needs to be tested, updated, and governed.

Audit your third-party services

While monitoring of your third-party providers should be covered in your risk management framework, an initial audit will tell you where you stand with your service provider agreements. Check their SLAs, considering factors like uptime, number of available locations, and security features.

Engage board and senior management

Your board and senior management should not only be actively involved in the creation and approval of your risk management framework; they should also understand your BCP, support the implementation of suggested strategies and processes, and advocate best practices to staff.

Learn more about APRA CPS 230

With 950 + global locations, high-performance connectivity, and on-demand provisioning, Megaport’s private network underlay is ready for CPS 230.

If you want to take a deep dive into APRA CPS 230, check out the following resources:

• APRA’s CPS 230 Objectives and Key Requirements document
• APRA’s operational risk management updates page