Nick Ellsmore, October 2024
As the new APRA CPS 230 standard takes effect, executives must act now to ensure their organisations are equipped to manage operational risks—especially in areas like cybersecurity, third-party vendors, and incident response.
You’re unlikely to be starting from scratch as most of these requirements are not new, but APRA is raising the bar in terms of compliance.
Alongside increased accountability for boards and leadership, CPS 230 demands strategic investments in technology and stronger governance frameworks. It’s a good time to think holistically about your environment (people, process, technology), your risk frameworks and your organisation’s ability to be agile. A culture of resilience is important, and early action is essential for staying ahead of evolving regulations.
Are you ready to meet these new regulatory challenges and protect your business from disruption?
The three pillars to a security and resilience program.
Simplicity and structure are key.
Completeness of coverage
It’s rare that you would be completely missing a key security control – it’s much more likely that the control is just not fully deployed. Focusing on this element – the “last mile”… getting to 100%… is key.
Consolidation
Reduce the complexity in your environment and as a result your threat surface – the importance of this can’t be overstated. You don’t need to protect data you don’t retain.
Assurance
It’s no longer enough to do a six-monthly ‘check in’ on your security and risk posture – assurance needs to be ongoing, near-real-time, and effectively communicated to the stakeholders who need it (including the board!).
Now you’ve got that in hand, here’s a handy checklist so you can baseline where you’re at, and uncover where you need to direct your efforts.
APRA’s CPS 230 compliance checklist
- Critical Operations (COs) are identified.
- Tolerances are defined and approved by the Board for COs (time, data loss, and service level).
- Material service providers (MSPs) are identified – and proactively reported to APRA.
- Notifications are operational for material events, tolerance breaches and MSP changes – also required to be reported to APRA as required.
- Board governance and oversight is in place and clear roles and responsibilities are set.
- Risk profiles and reporting is established and the supporting oversight accountabilities.
- Accountability for COs, MSPs, and monitoring is in place.
- Contract updates have an extension of 12 months per paragraph 7 of the Standard.
- Business Continuity Management (BCM) shifts to a Critical Operations (CO) focus.
You can read more detail on the checklist from APRA here:
https://www.apra.gov.au/response-to-submissions-cpg-230-operational-risk-management
What now?
Mantel Group are well placed to support you on CPS 230. We partner with clients to take an engineering-led approach to CPS 230, integrating compliance into your organisation’s DNA.
Our tailored solutions, grounded in our extensive experience in cyber security, risk assessments, and governance, ensure a seamless transition to the new standard. See our Continuous Assurance page for more information on how we ensure that your security posture is continually evolving to meet each new threat that arises within the digital landscape.
