A prudential change to cybersecurity and risk management? (About time, we say!)

On 1 July 2025, CPS 230 compliance became a thing.

Introduced by the Australian Prudential Regulation Authority (APRA), CPS 230 requires all APRA-regulated entities (think financial services like banks, insurance companies, mutuals, friendly societies and most of the superannuation industry) to have wrangled their operational risk controls into submission.

This includes strengthening risk controls, improving business continuity planning, and appropriately managing risks associated with third-party material service providers.

And because we’re hot on cyber-risk management, we think it’s a topic worth talking about.

First, let’s backtrack a bit to demonstrate why APRA are strengthening existing requirements from the entities it regulates.

In 2019, APRA introduced CPS 234 (Information Security), a standard that ensures entities it regulates have robust information security practices in place to protect themselves and their customers from cyber threats.

So, how’s that working out for them? Not so great, it seems, with APRA saying just four years later in their article, Cyber security stocktake exposes gaps: “Some of the world’s largest brands have fallen victim to major data breaches in recent years. Rates of cybercrime have increased and criminal attacks have become more sophisticated. Australia has not been immune; recent, well-publicised cyberattacks are among the largest in the country’s corporate history. Early findings from an expansive APRA study on cyber resilience in financial services show there is a need to raise the bar.”

One example is the RI Advice Group, which was successfully taken to task by ASIC in 2022 for failing to identify the risks its authorised representatives faced, including those related to cybersecurity and resilience, and for not having adequate documentation, controls, and systems in place to manage those risks. The outcome? In an Australian first, the Federal Court found that RI Advice breached its licensing obligations to act efficiently and fairly by failing to have adequate risk management systems in place to manage its cybersecurity risks. It was ordered to pay $750,000 towards ASIC’s costs.

Yes, it is. The CyberCX 2025 Threat Report reveals that when it came to cyberattacks, financial services were the second most impacted industry in 2024 (healthcare ranked as first, and education as third). And you guessed it: Common to all these sectors is that they hold significant amounts of sensitive personal information.

Ransomware-only attacks are rising (representing 38% of incidents in 2024, compared with 13% the year before), whereas data theft extortion-only cases are decreasing. Financial motivation remains top of the list when looking at what’s motivating attacks.

Furthermore, espionage incidents are now going unnoticed for longer. In 2024, the average time to detect (TTD) grew to 404 days, up from 390 days in 2023.

Which all begs the question – if you’re a financial services provider, how do you accelerate your ability to protect your people and data? Where do you risk falling short of meeting your obligations and ethical responsibility?

CPS 230 has three key requirements. APRA-regulated entities must:

1. Identify, assess and manage operational risks, with effective internal controls, monitoring and remediation
2. Continue to deliver critical operations within tolerance levels through severe disruptions, with a credible business continuity plan
3. Effectively manage risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring

Key to point three is that you must not rely on a service provider unless you can ensure that, in doing so, you can continue to meet your prudential obligations in full and effectively manage operational risks.

Given APRA’s emphasis on ensuring your service provider upholds the same standards that you are expected to, this means doing due diligence from your end. And it’s more than just sending out an outsourcing policy for signatures.

As well as going through a box-ticking exercise, you need to be confident that your service provider (for example, your MSP) will continue to uphold their standards. And that those standards are second nature to how they operate – not just dusted off at a time of need.

One way to do this with confidence is to choose a partner who has already done the hard yards and gained ISO 27001 certification.

If you choose an ISO 27001-accredited partner, you can be sure they have secure systems right across their organisation, are highly cyber risk-aware, can proactively identify and address weaknesses, will pass any audit with flying colours, and have an independently validated reputation for credibility and cyber resilience.

ISO 27001 is perhaps the world’s most widely recognised standard for information security management systems. To the point that the Australian 2022 Critical Infrastructure Protection Act requires all of our critical infrastructure sectors (from healthcare to energy to defence) to either hold ISO 27001 accreditation, or, as an unmandated option, consider only working with ISO qualified MSPs (like Colton).

Likewise, APRA doesn’t (yet) insist that your MSP must be ISO 27001 accredited – but the writing is on the wall for those who aren’t. As well as future-proofing your APRA-regulated entity, choosing an MSP now who is already ISO qualified means you’ve preempted any eventual changes to CPS 230 by right-footing your organisation from the outset.

After all, you can never set some standards too high when it comes to protecting personal data – right?

When it comes to CPS 230, APRA are taking no prisoners.

The transition period for existing service provider arrangements and extensions for non-SFIs (significant financial institutions) ends precisely on 1 July next year. And the financial industry has been warned to expect no leniency for laggards.

If you’d like to talk about cybersecurity risk management for APRA-regulated entities, and where to from here for your organisation, let’s connect.