From compliance to competitive edge: Unpacking CPS 230 and CPS 234.

The existing CPS 234 and upcoming CPS 230 Australian Prudential Regulation Authority (APRA) standards together represent a huge leap in strengthening the financial service’s industry’s operational and information security risk frameworks.

As the clock ticks towards the CPS 230 deadline, understanding and integrating these regulations is not just a matter of compliance but a strategic imperative. They go to the core of how financial services institutions operate, safeguard information, and ultimately, how they uphold trust.

In this article we’ll discuss these key questions:

• What are CPS 230 and CPS 234?
• What’s the difference between CPS 230 and CPS 234?
• Where do CPS 230 and CPS 234 intersect?
• Why should you care?

Subscribe to our knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:

What are CPS 230 and CPS 234?

Two of the most important operational risk standards in Australia’s financial services regulatory framework are CPS 230¹ and CPS 234², both issued by the Australian Prudential Regulation Authority (APRA).

CPS 230, which will come into full effect in July 2025, provides a comprehensive approach to managing operational risks within financial institutions, encompassing everything from compliance and legal risks to technology and data risks. The standard mandates that APRA-regulated entities develop and maintain a robust framework for operational risk management, emphasising the need for a well-defined risk appetite, effective risk assessment processes, and the implementation of controls to mitigate identified risks.

While CPS 230 addresses operational risks at a broad level, CPS 234, which has been operational since July 2019, zeroes in on the critical area of information security. It outlines specific requirements for identifying, protecting, and monitoring information assets, including the need for incident response plans and regular testing of security controls. This standard aims to ensure that financial institutions have the necessary defences against cyber incidents, thereby protecting customer data and maintaining the confidentiality, integrity, and availability of information systems.

By setting and overseeing these standards, APRA aims to foster a stable, efficient, and competitive
financial system that upholds the interests of depositors, policyholders, and superannuation fund
members.

What are CPS 230 and CPS 234?

While both standards aim to boost the resilience of financial institutions, CPS 230 focuses on broad operational risks, whereas CPS 234 focuses directly on information security risks. These lead to key differences in how institutions can comply with the standards and who is responsible for compliance.

Compliance requirements:

• CPS 230: Institutions must develop and maintain an operational risk management framework, establish a risk appetite with clear indicators and limits, and implement controls to manage identified risks. Senior management must oversee operational risk management processes, with regular reporting and review mechanisms to ensure ongoing compliance
• CPS 234: Institutions must identify and classify of information assets, regularly test information security controls, manage cybersecurity incidents, and ensure robust third-party risk management practices. Information security roles and responsibilities must be clearly defined and incidents must be promptly reported to APRA

Distinct responsibilities and actions:

• CPS 230: Risk managers must ensure that their institutions' risk management frameworks are comprehensive, covering all operational risk aspects. This involves continuous monitoring and review, fostering a risk-aware culture, and ensuring that risk management practices are integrated into the daily operations and strategic planning of the institution
• CPS 234: IT/cyber risk professionals must establish and maintain information security measures that are in line with APRA’s requirements. This includes conducting regular security assessments, enhancing cybersecurity protocols, managing third-party information security risks, and developing incident response strategies

Where do CPS 230 and CPS 234 intersect?

The intersection between CPS 230 and CPS 234 highlights the synergy between operational risk management and information security within the financial sector: robust information security is a cornerstone of comprehensive operational risk management.

Operational risk management, as outlined in CPS 230, encompasses a wide range of risk types, including but not limited to technology and data risks, which are directly influenced by an institution's information security posture. Information security, the focus of CPS 234, is thus integral to managing and mitigating operational risks. Strong cybersecurity measures are required to safeguard against operational disruptions.

Compliance with CPS 234 not only meets the regulatory requirements for information security but also significantly contributes to the broader objectives of CPS 230. Effective information security practices prevent potential financial losses, reputational damage, and operational downtime, all of which are key concerns of operational risk management. By securing information assets against cyber threats, institutions can ensure the continuity of their critical operations.

Some specific areas where the two standards meet include

• Third-party risk management: Implementing stringent information security measures for third-party service providers (as required by CPS 234) reduces the risk of data breaches through external partners. This directly supports CPS 230’s mandate for managing operational risks associated with outsourcing and vendor relationships
• Incident response planning: Developing and testing incident response plans to address information security incidents (CPS 234) enhances preparedness for operational disruptions, aligning with CPS 230's emphasis on resilience and rapid recovery from operational incidents
• Control testing and assessment: Regular testing of information security controls (CPS 234) provides insights into the effectiveness of risk mitigation strategies, contributing to the operational risk assessment and management processes outlined in CPS 230. This ensures that controls are not only designed appropriately but are also effective in practice

Why should you care?

As with any regulatory framework, one important reason to care is the direct and indirect cost of non-compliance:

• Financial impacts: Non-compliance can result in significant financial penalties imposed by regulators. Beyond fines, institutions may face costly operational disruptions and the expense of remedial actions required to address compliance gaps
• Reputational impacts: The trust of customers and the broader market can be damaged by failures in risk management or information security. Incidents such as data breaches erode customer confidence and can deter potential business partners and investors
• Operational impacts: Non-compliance can lead to operational risks materialising, resulting in disruptions to business operations. In severe cases, this could compromise the institution's ability to function effectively

But at the same time, these standards are not just regulatory requirements – they are also essential components of your risk management strategy.

For operational risk managers, understanding and implementing the requirements of CPS 230 and CPS 234 is crucial for developing a comprehensive risk management strategy. These standards influence daily activities such as risk assessment, monitoring, and reporting, requiring a proactive approach to identifying and mitigating potential risks. Adherence to CPS 230 and CPS 234 ensures that risk management practices are aligned with the broader goals of financial stability and resilience.

For IT/cyber risk professionals, CPS 234 delineates the parameters for protecting information assets. Daily responsibilities involve implementing robust cybersecurity measures, conducting regular security assessments, and managing incident response. Compliance with CPS 234 enables IT/cyber risk professionals to contribute directly to the institution's overall risk management framework.

Compliance with CPS 230 and CPS 234 is not just about meeting regulatory requirements; it's about embedding a culture of risk awareness and information security that supports the institution's strategic objectives.

Conclusions and next steps for your organisation

Now is the time to deepen your understanding of CPS 230, align your operational risk management practices with APRA's standards, and ensure your organisation meets and exceeds the regulatory expectations. Understanding CPS 230 in isolation is not enough; you need to recognise its interplay with CPS 234 to fully understand the operational and cybersecurity landscape:

• Review and differentiate: Begin by differentiating between the mandates of CPS 230 and CPS 234, understanding their individual and collective impacts on your operations.
• Integrate and align: Integrate the principles and requirements of CPS 230 into your risk management and business strategies, ensuring a seamless alignment that promotes resilience and security.
• Use software tools: Explore how software tools such as Protecht ERM can streamline your journey towards CPS 230 compliance, offering tools and insights that enhance your operational risk management framework and support robust governance.

¹ Download the CPS 230 standard and the CPS 230 draft practice guide
² Download the CPS 234 standard and the CPS 234 practice guide