Login
iscover
E-Yang Tang, vice president, security, resiliency and network, at Kyndryl ANZShare this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Having come into effect on 1 July, APRA’s Prudential Standard CPS 230 (Operational Risk Management) means regulated entities face a step change in expectations around operational resilience.
CPS 230 sets a new benchmark: critical financial services must remain available even in the face of cyber attacks, technology failures, or third-party outages. That elevates infrastructure, data, and digital technologies to the centre of compliance. But the real challenge lies in execution.
For chief information officers (CIOs), chief technology officers (CTOs), and their teams, the task now is not about deciphering the rulebook – but activating it. From mapping service interdependencies to simulating technology failures under stress, IT leaders are now at the core of how operational resilience is built and sustained.
Here are five key areas where technology leaders must focus on to turn intent into execution.
Treat resilience as a business-critical capability
CPS 230 begins with a clear understanding of which business services are deemed “critical”. CIOs and CTOs should conduct a detailed mapping of underlying systems, applications, infrastructure and interdependencies. Use business impact analysis to set acceptable tolerance levels for outages and data loss – and ensure these thresholds have board-level ownership and approval.
This process redefines how organisations approach IT infrastructure. If current systems – be it legacy technology, fragmented backups, or under-tested failover plans – can’t meet the target tolerances, upgrades or architecture changes must be prioritised.
Put your recovery plans to the test – and do it often
Updating business continuity plans is a given – but they need to be specific to CPS 230’s focus on critical operations.
Conduct regular scenario-based simulations that mimic real-world scenarios such as cyber attacks and infrastructure outages. These exercises must include all relevant business units, not just IT, and test against the defined tolerances for downtime.
Importantly, run exercises regularly, not occasionally. One-off drills won’t build readiness. Regular simulation embeds confidence, speed and coordination. All team members should already know what to do, because they’ve done it before.
Identify and address third-party risk – because you’re still accountable
Resilience assessments must also extend beyond an organisation’s boundary to include vendors and external tech providers. CPS 230 makes it clear: outsourcing a critical service does not outsource a business’s accountability. That means technology teams must treat third-party risk as seriously as internal risk.
Start by reviewing, renegotiating, and reframing contracts to align with regulatory mandates – including audit rights, uptime SLAs, and continuity provisions. Where possible, set up a dedicated third-party risk management (TPRM) function that can track compliance and review performance regularly.
Finally, develop contingency plans for third-party failures. Ask: what if they can’t deliver? Ensure regular communication with vendors on risk issues is maintained.
Embed compliance into your architecture and development life cycle
Compliance has traditionally been seen as a constraint. But, with the right technology approach, it can become a driver of resilience.
Build compliance into the technology life cycle – from design to development through to operations. Use AI-enabled risk monitoring and embed security by design to detect vulnerabilities earlier and respond faster. This allows organisations to maintain a consistent compliance rhythm without compromising innovation.
When compliance is integrated, not added on, businesses move faster and more safely – and better meet the intent of CPS 230.
Build a coordinated, cross-functional response capability
CPS 230 introduces strict reporting thresholds, including a 24-hour incident notification window to the Australian Prudential Regulation Authority (APRA). This fundamentally changes the way incidents are managed. Incident playbooks, escalation paths, and response drills all need to reflect this threshold.
In practice, this requires more than just rewriting procedures. It means embedding a new mindset across engineering, ops, and risk teams. Your frontline IT staff – not just your execs – need to know exactly when an incident becomes a regulatory event.
Many organisations now understand what CPS 230 demands, but translating that into execution remains a challenge. Knowing what needs to be done is only the first step. Delivering on it requires cross-functional coordination, clear priorities, and practical change at the technology and operational level.
CPS 230 is no longer theoretical. The real test lies in how businesses design, run and protect their critical services – and technology will be a key enabler of this. Cyber resilience isn’t just a compliance requirement. It’s a core capability.
And from this point forward, it must be treated as non-negotiable for Australian organisations.
Be the first to hear the latest developments in the cyber industry.
