Breaking Down APRA CPS 230 Critical SaaS Operations Compliance

Key Takeaways

  • SaaS platforms that play any role in critical operations must meet new requirements for managing operational risks and maintaining critical operations through disruptions.
  • CPS 230 SaaS event-tracking requirements are challenging and time-consuming. Automated SaaS security can establish baselines and continuously evaluate SaaS security posture.
  • The new prudential standard goes into effect July 1, 2025. Organisations should start compliance preparations immediately to meet the looming deadline.

In July 2023, the Australian Prudential Regulation Authority (APRA) put critical SaaS platforms front and centre in a new prudential standard that organisations across Australia must abide by.

A growing wave of cybersecurity breaches and incidents jeopardised integral financial services operations, prompting APRA to draft and finalise CPS 230. And their concerns are certainly justified.

SaaS breaches are common and costly. Even as Australia’s breach rates have momentarily declined, a recent breach in the financial sector resulted in the loss of millions of customer records. IBM reports that breach costs now average $4.45 million USD. Affected organisations must now take significant steps to “better manage operational risks and respond to business disruptions” — or face stiff consequences.

What Is APRA CPS 230? How Will It Affect My Organisation?

APRA crafted CPS 230 with aims to bolster cyber resiliency and mitigate operational risk. Any SaaS platforms involved in an affected business’s key or critical operations must also be sufficiently protected and secured as part of this standard. The mandate requires a regulated entity to “effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers. An APRA-regulated entity’s approach to operational risk must be appropriate to its size, business mix, and complexity.”

Firms under APRA’s domain must meet these requirements by July 1, 2025. This deadline will affect scads of Australia-based firms and international companies that conduct business in Australia. To help clarify expectations and provide implementation guidance, APRA has released Prudential Practice Guide CPG 230, currently in draft form, for the CPS 230 standard.

In short, rigorous SaaS risk management and security measures have evolved from best practices to necessities. And the clock for achieving compliance is ticking.

What Organisations and Software Are Affected by CPS 230?

CPS 230 applies to a variety of financial services conducting business in Australia. The regulated entities comprise:

  1. authorised deposit-taking institutions (ADIs), including foreign ADIs, and similar institutions
  2. general insurers
  3. life insurance companies, including friendly societies, and certain foreign life insurance companies
  4. private health insurers registered under the PHIPS Act
  5. registrable superannuation entity licensees

As we’ve shared in a previous APRA-related article, achieving CPS 230 compliance means the difference between your banking and trading licences being retained or suspended (or on the path to revocation). Like its cousin CPS 234, compliance with CPS 230 is an indisputable “need to have.”

The regulations do not differentiate between on-premises, cloud, and SaaS solutions used for critical operations. Affected organisations are expected to review and account for every component of their critical operations — regardless of the software delivery method — to achieve compliance.

Regulated entities have their work cut out for them to meet these new provisions.

What Are the Main Requirements of CPS 230 Compliance?

The text of CPS 230 breaks down four key principles for compliance. A regulated entity must:

  1. “Effectively manage its operational risks,” which spans standards for conduct and compliance, maintaining critical operations “within tolerance levels through severe disruptions,” and managing risks inherent with using service providers/third parties.
  2. “Identify, assess, and manage operational risks” that may be related to inadequate or failed internal processes/systems along with the people and events involved in these systems.
  3. “Prevent disruption to critical operations,” and, to the extent practical, adapt processes and systems to work during disruptions, and to return to normal operations promptly once the disruption is resolved.
  4. “Not rely on a service provider” unless you can continue to fully meet your regulatory obligations and manage the associated risks with the service provider or third party. Your CPS 230 responsibilities aren’t limited to your own systems — you’re also responsible for the service providers and third parties you contract directly, along with the fourth parties (your service provider’s vendors) involved.

Fewer than two years to achieve CPS 230 compliance leaves little room for delay or error.

KPMG recommends a CPS 230 timeline that identifies material service providers and critical operations by July 2024 (merely 9 months away) and sets tolerance levels by the end of 2024 to achieve compliance starting in July 2025.

Attempting to meet these requirements with internal resources and existing risk management programs alone is highly unlikely, even for large enterprises.

How Do CPS 230 Mandates Affect My Cloud and SaaS Stack?

COVID accelerated the plans for moving critical operations to cloud and SaaS platforms for many Australian financial services companies. Gartner confirms this dramatic uptick, recently finding that enterprise organisations are spending 50% more on SaaS than Infrastructure-as-a-Service (IaaS).

The good news is enterprise SaaS solutions take security seriously, but they operate under a shared responsibility model.

Shared Responsibility-02

SaaS providers assume responsibility for their own business continuity, operations, and infrastructure, but you bear responsibility for SaaS security and data controls, along with user management. This is where nearly all SaaS security issues originate.

Gartner reports that 99% of cloud-related breaches occur due to misconfigurations and vulnerabilities introduced by human error.

Because you assume ownership for user management, security settings, data, and SaaS-to-SaaS apps connected to your SaaS platforms, your team must ensure that mitigating controls are in place to contain risk. This obligation includes the software supply chain your SaaS vendors rely on.

CPS 230 breaks down these directives into four categories:

(Note: We recommend working with a consultancy firm or an in-house GRC team to evaluate these directives and determine exactly what compliance means for your IT/Security.)

Risk Management Framework Requirements

APRA stipulates requirements for items such as governance of operational risk oversight and what to include in an assessment of a potential SaaS solution’s operational risk profile (with a defined risk appetite). It also covers monitoring, analysis, and reporting of operational risks and escalation for incidents and events. Additionally, you’re required to create detailed business continuity plans (BCPs) that address disruptions within tolerance levels, plans for regularly testing affected SaaS platforms with “severe but plausible scenarios,” and more.

Operational Risk Profiles, Assessments, Controls, and Incidents

Your IT team is expected to meet detailed capability specifications for maintaining and supporting critical SaaS operations and risk management, along with monitoring the age and health of information assets. This scope includes comprehensive assessments of operational risk profiles; appropriate systems to monitor operational risk and reporting findings to the Board and senior management; extensive documentation for SaaS solutions; analysis and testing of the potential impact of severe operational risk events; and other measures to reduce, and report on, operational risks.

Business Continuity

The new standard requires steps must be in place to minimise the likelihood and impact of disruptions to critical SaaS operations. This translates to maintenance of a credible BCP that delineates how you’ll maintain critical operations within tolerance levels through disruptions. You’ll need to incorporate thorough disaster recovery planning; established tolerance levels for critical SaaS disruptions; the people, resources, and tech capabilities needed to execute the BCP; a testing program for the BCP that provides for an annual business continuity exercise; and periodic reviews by your internal audit function for the credibility of your plans.

Management of Service Providers (Third and Fourth Parties)

Since you assume responsibility for the third- and fourth-party SaaS components of your critical operations — called “material service providers” — your organisation must create a comprehensive service provider management policy. This policy must cover how you will identify material service providers and managed service provider arrangements, including the management of material risks associated within the arrangements. You must demonstrate appropriate due diligence in the selection and assessment process, along with identification and management of risks that could affect the service provider’s ability to provide the service on an ongoing basis. While you may interpret portions of the CPG 230 guidelines to classify a SaaS provider as an “emerging technology,” it’s good practice to consider risks to that platform on a regular basis with the appropriate controls, management, and monitoring in place.

What Steps Should My Organisation Take Now?

If you haven’t already, begin identifying all critical operations and material services providers as KPMG suggests. Their suggested timeline of June 2024 is ideal as this assessment becomes the foundation for implementing the policies, risk controls, assessments, and monitoring protocols required by July 1, 2025.

Once critical operations and material service providers are identified, create secure configuration baselines for your SaaS applications that align with your organisation’s operational risk profile. We recommend continuously monitoring these SaaS applications to prevent drift from secure baselines in order to maintain compliance — and prevent data breaches or other compromises. An automated mechanism to detect unwarranted changes to your SaaS platforms eliminates human errors and misconfiguration.

AO-AUS-Financial-Regs-List-01-1920x1080

Tracking risky or significant events within the SaaS platform is often challenging, particularly given the lack of SaaS security expertise among app ownership teams, not to mention the typical resource constraints in Security and IT. But an automated SaaS security advisory system can continuously evaluate the security posture of these critical SaaS platforms.

For prudential standard compliance and SaaS security best practice, you should be able to clearly answer a few crucial questions:

  • Do I know what my current SaaS platform posture is today?
  • How can I reduce human error and ensure the security configurations in my SaaS platforms adhere to the security standards I’ve defined?
  • How can I plug the SaaS security expertise gap that I have today between the application/platform teams and my security team?

Answering these questions will take time, resources, and the proper SaaS security tooling.

The burden of manually evaluating SaaS security risk and posture can be alleviated with a SaaS security posture management (SSPM) tool. Your time and resource requirements are significantly reduced when automated SSPM tools measure the SaaS security controls against secure baselines and compliance frameworks.

SSPM is a pillar of building a SaaS security program to monitor the entire SaaS estate. Given the shift of business critical data to SaaS applications, a full-fledged SaaS security program is vital.

AppOmni’s SaaS Security Compliance Solution for CPS 230

Regulations designed to curb cybersecurity threats and protect consumers will likely grow over time and expand across geographies. In relatively short order, APRA CPS 230 might serve as a template for other governing bodies, particularly for regulations focused on engaging with external service providers that provide critical operational functions.

AppOmni can automatically assess, monitor, and maintain good security posture for critical SaaS platforms such as Microsoft 365Salesforce, and ServiceNow, helping you promote resilience in the face of disruption. You can realise the same visibility and controls for all SaaS apps — including custom-built SaaS solutions — with the AppOmni Developer Platform.

We’re here to help regulated entities in Australia, and companies across geographies, meet compliance requirements. 


Navigating Infosec Requirements APRA CPS 234

InfoSec Requirements for APRA CPS 234

Australia-based organizations are moving critical business operations and sensitive data to SaaS platforms. Learn what to ask your cybersecurity and organizational leaders to continually assess your SaaS security posture.


Related Resources