With this week’s July 1 compliance deadline for CPS230, APRA-regulated entities across Australia are facing increasing pressure to transform their operational and third-party risk management practices.
The new prudential standard, when coupled with the already active CPS234 regulation, aims to drive a more resilient financial services ecosystem, especially in light of growing cyber threats and unstructured data challenges.
Together, CPS230 and CPS234 form a critical framework designed to address operational vulnerabilities and strengthen oversight across all levels of an organisation.
“These standards are not just about ticking boxes—they are a chance to rethink how businesses approach operational continuity and resilience,” stressed Andy Milburn, Regional Director for APJ at Datadobi.
Operational risk, if left unaddressed, can seriously disrupt core business processes, harm reputations, and threaten financial stability, he argues.
“Regulators are making it clear that pre-contract due diligence is no longer enough.”
– Andy Milburn
CPS230 places particular emphasis on rapid recovery and the ability to maintain continuity following incidents such as cyberattacks or system failures.
“This isn’t just about IT. Organisations need to understand that operational resilience touches everything—from financial operations to human processes,” Milburn explained.
He noted that many firms still rely on outdated controls, such as inadequate oversight or poorly defined separation of duties, which can severely limit their response capabilities.
To meet the standard’s requirements, organisations must also gain better control over their unstructured data environments.
“Imagine walking into a library without any system for cataloguing books. That’s the data challenge most businesses face today,” Milburn says. “You can’t protect or recover what you can’t find.”
Board role
Under CPS234, leadership accountability is brought into sharp focus. The regulation mandates that boards of directors be directly responsible for the governance and oversight of information security, promoting a cultural shift toward more engaged and proactive leadership.
Milburn emphasises that this requirement is already driving change: “We’re seeing boards stepping up in a way they haven’t before. Operational resilience is now recognised as a top-level business priority, not just an IT concern.”
Another central component of CPS230 is third-party risk management—an area increasingly fraught with complexity as organisations rely more heavily on cloud providers, outsourced services, and IT vendors.
“Gartner research shows that third-party cybersecurity incidents are on the rise, often resulting in major business disruptions,” Milburn said.
“Regulators are making it clear that pre-contract due diligence is no longer enough. Companies need full lifecycle management of third-party relationships.”
This means building contingency plans, defining exit strategies, and ensuring that incident response protocols are hardwired into vendor agreements.
Gartner recommended that companies not only set clear service level expectations, but also develop capabilities to monitor and, if necessary, swiftly disengage underperforming or compromised vendors.
“The goal is integrated, cross-functional oversight—risk, compliance, IT, and procurement all need to work together. That’s where we see the real innovation happening,” Milburn said.
Despite the weight of regulatory change, many experts view CPS230 and CPS234 not as burdens, but as opportunities. By strengthening internal controls and improving third-party risk strategies, organisations can transform compliance into a driver of growth.
Milburn sees that this transformation is already underway.
“There’s a real mindset shift happening. Companies that approach these standards with collaboration and urgency aren’t just checking boxes—they’re building a more agile, more secure future for themselves,” he concluded.
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
WATCH NOW
READ MORE
- Inside JPMorgan’s $18bn QA push with OmniAI reshaping testing
- As AI takes hold, insurance firms face a new testing mandate
- K2view’s Amitai Richman calls out the ‘real bottleneck’ in healthcare and insurance
- AI in QA: how flexible testing is redefining assurance for financial firms
- Explainer: Why site reliability engineering is gaining momentum in banking
