Cybersecurity is continuing to grow as a key concern in the minds of businesses, consumers and regulators. In 2023, IBM estimated the average cost of a data breach in Australia at $3.35 million. With the increasing frequency and damage of cyber-attacks, regulators are turning their focus towards businesses and expecting them to take responsibility for safeguarding against such attacks.

One of the latest regulators to do so is the Australian Prudential Regulation Authority (“APRA”). On 1 July 2025, APRA’s ‘Prudential Standard CPS 230: Operational Risk Management’ will come into effect and apply to all APRA-regulated entities. These entities include banks, insurance providers (both general and life insurance), private health insurance providers and registrable superannuation funds. However, it would benefit all businesses to be aware of these CPS 230 Standards as they may prove to be a roadmap for other regulators, such as ASIC.

The purpose of the CPS 230 Standards, as stated by APRA, is ensuring regulated entities are “resilient to operational risks and disruptions” by imposing requirements on businesses to:

  • “identify, assess and manage its operational risks, with effective internal controls, monitoring and remediation;
  • be able to continue to deliver its critical operations within tolerance levels through severe disruptions, with a credible business continuity plan (BCP); and
  • effectively manage the risks associated with service providers, with a comprehensive service provider management policy, formal agreements and robust monitoring.”

It is important to note that the third of the key requirements (managing service providers) extends not only to the risks involved with external third party services but also includes anticipating fourth party risks. Fourth party meaning any parties that the external service providers themselves may rely on when delivering critical operations to you. Part of the compliance requirements from July 2025 will be that material/critical service providers must be identified and a list provided to APRA annually.

While the active date for compliance is a year away, moves to implement the required measures should be made as soon as possible. APRA’s chair John Lonsdale said “we expect regulated entities to be proactive in preparing for implementation, rather than waiting for the last minute to get ready to meet the new requirements” and the regulator is expecting financial service businesses to have their plans and safety measures firmly in place by July 2025. By way of guidance, its ‘proactive transition period’ recommends that businesses identify material service providers by mid-2024 and tolerance levels determined by the end of 2024.

To assist their regulated entities with achieving CPS 230 compliance, APRA is expecting to release a finalised Prudential Practice Guide CPG 230 Operational Risk Management by the end of the 2023-2024 financial year.

While APRA-regulated entities must review, understand and comply with the CPS 230 Standards, all other businesses would also do well to read it and anticipate how similar regulations may affect them in the future. The earlier you begin considering and implementing, the safer your business will be both from cyber-attacks and non-compliance penalties.

The APRA CPS 230 Standards and a draft of the accompanying practice guide CPG 230 are available on the ASIC website: https://www.apra.gov.au/operational-risk-management.

If you have any queries regarding any of the matters discussed above, please do not hesitate to contact NextGen Legal on (03) 9039 2142.