Client Alert

Learnings from CPS 234 as you adopt CPS 230

insight featured image
With the CPS 234 Information Security tripartite review program coming to an end around June 2024, APRA-regulated entities face a pivotal moment.

The looming implementation of CPS 230 Operational Risk Management is closely tied to CPS 234, requiring regulated entities and service providers to prepare for its impact. To ensure you are prepared for these changes, we highlight steps to consider while you plan for the changes, and how CPS 230 and CPS 234 are interconnected in the evolving regulatory landscape. 

The relationship between CPS 234 and CPS 230  

CPS 234 focuses on information security in APRA-regulated entities to enhance their resilience against information security incidents, including cyber threats. While CPS 234 is specific to information security, it complements CPS 230, which sets out minimum standards for managing operational risk across APRA-regulated entities.  

Operational risk covers a wide range of risks beyond information security and while CPS 230 has a broader scope, it aligns with CPS 234’s focus on information security and resilience. Together, they create a comprehensive operational risk framework, with CPS 234 emphasising information security practices and CPS 230 offering a holistic approach to managing operational risks.  

These standards work together to enhance the overall resilience of financial institutions in Australia. 

See our overview of how CPS 234 and CPS 230 are interconnected

Area

CPS 234 

CPS 230 

Area of focus Information security risk 
Incidents that impact the confidentiality, integrity or availability of information assets 
Operational risk 
Maintain its critical operations through disruptions, and manage the risks arising from service providers 
Scoping Information assets  Critical operations 
Risk assessment Ratings based on criticality and sensitivity 

A defined risk appetite supported by indicators, limits and tolerance levels 
Controls implementation Requirements are very similar – To design, implement and embed controls commensurate with risk  Requirements are very similar – To design, implement and embed controls commensurate with risk 
Controls testing program  Requirements are very similar – Testing of design and operating effectiveness must be conducted on a regular basis with results reported to senior management and the Board. Identified weaknesses should be remediated timely and  escalated where this is not possible. Requirements are very similar – Testing of design and operating effectiveness must be conducted on a regular basis with results reported to senior management and the Board. Identified weaknesses should be remediated timely and  escalated where this is not possible.
Notification requirements (material control weaknesses) Within 10 days where it cannot be remediated timely  Not required unless it results in a material incident 
Notification requirements (material disruptions and incidents)  Within 72 hours of becoming aware of a material information security incident  Within 24 hours after disruption outside tolerance 

Within 72 hours after operational incident with material financial or operational impact 
Ecosystem  Related or third parties that manage information assets on the entity's behalf  Material service providers - Service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risk (including 4th parties) 
Notification requirements (third-party arrangements) 

Not required 

Required  

  • Prior to any material offshoring arrangement 
  • Within 20 days of a material service provider arrangement 

How should Boards think about CPS 230? 

As Boards and directors are tasked with establishing a robust operational risk management framework, they should prioritise the following key areas: 

1. Operational Risk Management Framework: 

  • Policy and risk appetite: The Board plays a crucial role in establishing an effective risk management framework. This involves determining policy, setting risk appetites, and establishing appropriate processes for monitoring, analysis, reporting, and managing risks and risk events. 
  • Accountability: CPS 230 places accountability for operational risk management squarely on the Board. Directors must actively engage in overseeing operational risk practices within the organisation. 

2. Implementation timeline: 

  • Proactive transition: Entities should start considering the key components of CPS 230 now to ensure preparedness. APRA has introduced a proactive transition period, requiring entities to identify material service providers and critical operations by mid-2024. By the end of 2024, entities should have set tolerance levels. The standard becomes effective on 1 July 2025. 

3. Key alignments between CPS 230 and CPS 234: 

  • Risk event preparedness: Entities must ensure effective processes to support the management and response to risk events, effectively reducing their impact. 
  • Resilience: Organisations should be able to continue operating despite disruptions, providing critical services to customers. 
  • Business continuity planning: Rigorous business continuity planning and exercising are critical to minimize the impact of disruptions to an acceptable/tolerable level. Entities will need to expand their thinking to ‘severe but plausible’ scenarios. 
  • 3rd and 4th party ecosystem: Entities will need to tackle the challenge of updating contracts to include operational risk clauses and obtaining necessary controls assurance. This may not be straightforward and will take time. 

4. Long-term impact: 

  • Boards and executive teams should focus on what the organisation can and should have in place by 1 July 2025. This means considering the resources required for a program of work to achieve a deeper impact for the benefit of customers and stakeholders. 

In summary, boards and directors should actively engage in shaping the operational risk management framework, ensuring resilience, and prioritising risk event preparedness to meet CPS 230 requirements effectively. 

Our financial services industry specialists can help you navigate the changes ahead to meet CPS 230 whether that is uplifting governance arrangements for oversight of operational risk, aligning operational risks, tolerance levels and business continuity plans, assessing material service providers and enhancing supplier management and due diligence procedures. We know the transition is a complex one with many moving parts, contact us today to discuss your needs

WATCH NOW
Gearing up for CPS 230's implementation
This webinar is tailored to equip you and your team with practical steps for CPS 230's implementation. We will dive into the intricacies of the standard, focusing on its design and operational effectiveness to meet regulatory expectations.

Watch on-demand