APRA sets prudential standards that require regulated entities to manage their security and operational resilience. Two stand out: CPS 234 Information Security, in force since 1 July 2019, and CPS 230 Operational Risk Management, in force from 01/07/2025. Together, they require banks, insurers and superannuation funds to protect their information and to keep their critical operations running through disruption.
For risk, security and compliance teams in financial services, these standards are enforceable obligations, not guidance. This page explains what CPS 234 and CPS 230 require, how CPS 230 brings business continuity and service-provider risk into one standard, and who must comply.
Overview
What are the APRA security and resilience standards?
The Australian Prudential Regulation Authority regulates banks, insurers and superannuation funds, and sets prudential standards they must meet. Two are central to security and resilience: CPS 234 covers information security, and CPS 230 covers operational risk management and operational resilience. Both are cross-industry standards that apply to all APRA-regulated entities.
The standards
CPS 234 and CPS 230 compared
CPS 234 requires a regulated entity to maintain an information security capability commensurate with the threats it faces, implement and test security controls, and notify APRA of material information security incidents. CPS 230 requires sound operational risk management, the ability to maintain critical operations during severe disruptions, and management of risks from material service providers, all tested through scenario analysis.
Information security
CPS 234 and information security
CPS 234 makes the board ultimately responsible for the entity’s information security. It requires the entity to size its information security capability to the threat, maintain and test controls, and manage the information security of third parties that hold or handle its data. Material incidents and significant control weaknesses must be reported to APRA. It overlaps closely with the wider cyber security discipline.
Operational resilience
CPS 230 and operational resilience
CPS 230 is the newer and broader standard. It requires an entity to manage its operational risk, identify its critical operations, keep them running through severe disruptions, and manage the risks arising from its material service providers. It absorbs the business continuity and outsourcing requirements that earlier standards covered separately, bringing operational resilience under one roof.
CPS 230 requires regulated entities to test their business continuity and operational risk arrangements through scenario analysis. The approach to that testing is set out on the exercising and testing pillar.
The connection
How CPS 230 relates to business continuity
CPS 230 is, in large part, a business continuity and third-party risk standard for financial services. Its requirement to maintain critical operations through disruption is met with the same disciplines covered in the business continuity pillar: a business impact analysis, continuity strategies, and tested plans. An entity that builds a credible continuity capability, grounded in security risk management, is well placed to meet CPS 230.
How we help
How Agilient supports CPS 234 and CPS 230
Agilient helps APRA-regulated entities meet their information security and operational resilience obligations, independent of any product or vendor. The work integrates security, continuity, and third-party risk.
CPS 234 information security
Building and testing the information security capability that the standard requires.
CPS 230 operational risk
Operational risk management and critical-operations resilience.
Business continuity
Continuity capability that meets the CPS 230 disruption requirement.
Service-provider risk
Managing the risks from material service providers.
Scenario analysis and testing
Testing the plans against severe but plausible scenarios.
Gap assessment
Where do you stand against CPS 234 and CPS 230?
Agilient works across Sydney, Melbourne, Brisbane, Adelaide and Canberra.
Meet your APRA security and resilience obligations
A gap assessment against CPS 234 and CPS 230 shows where your information security and operational resilience stand, and what it takes to close the gaps.
Talk to us about CPS 234 and CPS 230or book a short briefing
FAQs
Frequently asked questions
What is CPS 234?
What is CPS 230?
Who must comply with CPS 230 and CPS 234?
How does CPS 230 relate to business continuity?
Where should an entity start?
References
- Australian Prudential Regulation Authority, CPS 234 Information Security, apra.gov.au
- Australian Prudential Regulation Authority, CPS 230 Operational Risk Management, apra.gov.au