The Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 230 in March 2017. At a glance, the regulation aims to strengthen the cybersecurity resilience and operational risk management of the financial sector in Australia by establishing standards and requirements for cybersecurity best practices. But beneath the surface, there are nuances to CPS 230 that all APRA-regulated entities will need to understand — or risk regulatory sanctions and reputational damage.
Let’s dive into CPS 230 Compliance down under.
First Thing’s First: What is CPS 230?
CPS 230, also known as the Prudential Standard CPS 230, is a regulation established by the Australian Prudential Regulation Authority (APRA) to address cybersecurity resilience in the financial sector.
The regulation sets out requirements for regulated entities, such as authorised deposit-taking institutions (ADIs), insurers and superannuation licensees, ensuring they possess adequate capabilities to detect, respond to and recover from cyber incidents.
While regulated entities have until July 1, 2025, to comply, APRA makes it clear that it expects proactive preparation in 2024.
