Helping financial institutions prepare for APRA CPS 230 compliance with the Microsoft Compliance Checklist

The Australian Prudential Regulatory Authority (APRA) has detailed the new Prudential Standard CPS 230 Operational Risk Management (CPS 230), which will commence on 1 July 2025.

The standard aims to ensure that APRA-regulated entities – including banks, insurers and superannuation trustees – strengthen their operational risk management and improve business continuity planning to better prepare for and respond to disruptions. A key focus is implementing robust policies to manage relationships with material service providers that assist with critical operations.

Microsoft recognises the need for regulated entities to start preparing for their compliance with the standard. To assist them, we’ve prepared two detailed resources to help our regulated customers maintain compliance when using Microsoft Cloud Services.

We are also hosting Operational Resiliency Workshops in Auckland on 11 November, Melbourne on 12 November and Sydney on 13 November 2024. Attendees will learn practical skills relevant to crisis management, business continuity, risk mitigation and more. Interested parties can sign up using the link at the end of this blog post.

A deep dive into CPS 230

In November 2023, we published Microsoft Cloud Services: Compliance With APRA Prudential Standard CPS 230 Operational Risk Management, a whitepaper that provides more detail on Microsoft’s perspective on CPS 230, why it’s being implemented and what regulated entities will be required to do as a result. It highlights the importance of identifying critical operations and material service providers to ensure that regulated entities stay compliant.

Microsoft recognises that the board of a regulated entity ultimately carries the responsibility to meet the obligations outlined by APRA in the new prudential standard. By drawing on Microsoft’s resources, board members and senior leadership can prepare to meet compliance obligations when using Microsoft Cloud Services.

How our checklist can help

In August 2024, we published A Compliance Checklist for Financial Institutions in Australia to guide regulated entities to ensure compliance when using Microsoft Cloud Services such as Azure and Microsoft 365.

This comprehensive resource supports organisations’ compliance with CPS 230 by providing a detailed guidepost for Microsoft’s regulated customers when conducting due diligence and risk assessments of Microsoft’s Cloud Services. It highlights critical compliance considerations for regulated entities when deploying Microsoft Cloud Services and guidance on how Microsoft can assist our regulated customers in meeting their regulatory compliance.

Using the checklist will help regulated entities understand what appropriate monitoring processes and internal reporting structures are in place to help them manage outsourced services and detect or prevent security incidents. It also outlines Microsoft’s relevant procedures, such as securely destroying or removing data if needed.

Financial institutions can tailor the checklist and build on the provided guidance to suit their own operational needs. That way, they can develop and adapt an effective internal framework to ensure compliance with CPS 230, mitigate the risk of disruptions and maintain operational resilience.

Attend a Microsoft Operational Resiliency Workshop

As mentioned above, Microsoft is running three Operational Resiliency Workshops in Australia and New Zealand in November. We’ll be in Auckland on 11 November, Melbourne on 12 November and Sydney on 13 November, sharing our insights into what it takes to secure and maintain operations in the face of various threats.

This is an ideal opportunity to upskill your team and connect with a diverse professional community. Equip staff with practical tools and strategies to bolster your security and help ensure long-term stability. Learn more and register here: