Beginning in July 2025, certain SaaS applications adopted by Australian financial institutions and scoped organizations (e.g. health insurance, life insurance, deposit-taking institutions, or superannuation fund trustees) will be impacted by a new Australian Prudential Regulation Authority (APRA) standard called CPS 230.
Its goal is to focus the attention of Boards of Directors on operational resilience and prepare for service disruptions by:
- Identifying and managing operational risk
- Understanding the impact of disruptions to customers and the wider financial system
- Taking actions to prevent service disruptions and enhance resilience
- Effectively responding to severe business disruptions and minimizing the impact on services
- Adopting policies to continuously manage risks from third- and fourth-party service providers
Now, relevant SaaS applications introduced to a scoped entity’s environment will positively or negatively affect the organization’s overall risk profile. SaaS apps that are currently—or will be—used by the $360.6B Australian financial industry must be properly configured and secured to ensure cyber risks are effectively managed and do not impact the resilience of these entities.
How is CPS 230 focusing on SaaS?
In today’s SaaS-centric world, businesses rely on applications to deliver services and conduct day-to-day operations. Disruptions to operations must be avoided, meaning critical SaaS applications are in scope because threat actors are targeting businesses in Australia (and globally) through their SaaS.
SaaS breaches have increased 300% year over year, including attacks on house-hold names like Ticketek; and the financial consequences of these breaches can be in the millions of dollars. Building resiliency by securely configuring SaaS applications, governing integrations used in app-to-app data movement, and detecting threats across SaaS have become an urgent focus.
To comply with an audit for CPS 230, APRA-entities must demonstrate that their posture, security, and processes are operating effectively and consistently in their SaaS environments. This challenge can be uniquely difficult as it relates to SaaS because of the hidden and complicated integrations between the sometimes hundreds of SaaS applications. With 55% of shadow SaaS apps (invisible to IT) connected to core applications, unknown and unsecured apps pose a serious threat to critical business components. An impact to any of these could spell disaster to the delivery of service or data integrity.
How to prepare for CPS 230
Senior management is responsible for the end-to-end process of ALL business operations to meet CPS 230 compliance. SaaS applications fall squarely in this new purview. Let’s look more closely at how companies can position themselves to reduce their risk profile and not only comply with CPS 230, but avoid a significant cyber incident.
Operational Risk Management
Every APRA-scoped entity is required to manage their full range of operational risks such as:
| Legal | Regulatory | Compliance | Technology | Data | Change management |
| Automated detection and identification of any SaaS data subprocesses | Ensuring all SaaS apps that ingest regulatory-scoped data are automatically detected | Baseline hardening standards should be developed for each SaaS app classification or category of app | Discover shadow SaaS | Classify and govern exposure of sensitive data | Detect/monitor SaaS application configuration changes in real time |
| Validation of which vendors require DPA automatically | Ensuring least-privilege and deny-by-default controls are automatically deployed to those apps | Each app introduced to the environment and/or integration with a core SaaS app should be automatically evaluated against its corresponding baseline and disabled if in a non-conforming state | Discover shadow data processors | Real-time automated validation of who has access to what category/classification of data across SaaS | |
| Establish real-time monitoring of the SaaS environment and automated validation of regulatory scope impact based on data sensitivity and scoped attributes | Enterprise policies that have technical requirements should be translated into programmatic checks across SaaS to ensure all apps are configured in alignment with technical requirements | Limit local authentication and federate approved SaaS vendors | Real-time monitoring of existing and the detection of net new sensitive data flows between SaaS apps | ||
| Automated fail-safe/ fail-secure mechanisms should be applied to configured compliant states such that accidental or unauthorized changes resulting in a non-compliance state automatically revert to its defined compliant state | Harden critical SaaS services such as reducing excessive user permissions, protecting data, and introducing process and controls around connected integrations | Proactive monitoring and enforcement of encryption strength and protocol requirements for integrations that facilitate sensitive data flows between SaaS |
Even harder than creating new policies and process documentation is the deployment, monitoring, and reporting on the actual controls that are relevant. Notification and enforcement policies are required for proactive risk tolerance management.
Mapping these controls to a SaaS security platform is recommended to ensure automated and constant compliance.
Operational Risk Profile and Assessment
Entities must maintain a comprehensive assessment of new products, services, technologies, and geographies as part of their overall operational risk profile. This can be achieved with effective information systems that monitor risk and help facilitate reporting to the Board and senior management.
APRA may require an entity to review and strengthen internal controls or processes where it has identified heightened risks. One control organizations can implement to improve their risk profile as well as meet this requirement is a SaaS security platform to maintain this robust assessment.
Operational Risk Controls
APRA regulated entities must design, implement, and embed internal controls to mitigate operational risk in line with its risk appetite and meet compliance obligations. Controls must be regularly monitored, reviewed, and tested for operational effectiveness at a frequency aligned to the materiality of risks being controlled.
Testing results must be reported to senior management and gaps/deficiencies must be remediated in a timely manner. All control weaknesses and gaps must be documented in its operational risk profile until they are fully remediated.
CPS 230 mandates the boards of APRA-entities to notify APRA within 72 hours if their organization is aware of an incident or risk that will impact their operations. It is imperative for APRA-entities and their contracted SaaS providers to understand how their teams will respond to cyber incidents and minimize their impact.
This starts with defining critical operations and processes, and determining acceptable RTO and RPO if an outage occurs. Having a strategy to restore normal operations and a communication plan to support its execution are necessary not just for APRA-entities, but all scoped service providers. Every hour of downtime can cost millions.
Material Service Providers
APRA-entities are required to maintain a register of their material service providers and manage the risks associated with each. Material service providers are those which the entity relies on to undertake a critical operation or that expose it to operational risk. This may include SaaS.
Entities must provide APRA with a list of vendors that match the below descriptions on an annual basis:
- Credit card companies
- Mortgage companies
- Funding/liquidity managementInsurance companies, underwriters, claims, insurers
- Fund administration, custodial services, investment companies
- Risk management services, core technology services, and internal audit
To meet the July 2025 CPS 230 deadline, identifying your material service providers this year is recommended. Automating this process with a SaaS security platform to surface high-risk applications in your environment not only streamlines compliance but ensures every vendor that meets this classification is included, irrespective of federation status.
Resiliency
Preventing breaches from disrupting services is a key outcome for CPS 230 scoped entities. The best way to get ahead of this compliance mandate is to implement robust identity security measures to prevent compromises.
Posture alone cannot achieve this goal. Marrying posture with additional security solutions for your applications, data, and identities helps ensure SaaS threats to your organization are stopped.
Tips for success with CPS 230: don’t go it alone
Relying on a manual process to meet CPS 230 simply will not work. Adopting a SaaS security solution helps achieve CPS 230 compliance in two distinct ways:
- Onboarding a solution itself is a control that improves your risk profile: Having a tool in place specifically designed to monitor SaaS holistically through data governance, application posture, and identity security improves your risk profile.
- Automating the process reduces the burden: Automating workflows to track and secure each individual SaaS application, the integrations within the larger operations, and benchmark progress streamlines the auditing process.
Creating a mapping framework with a SaaS security partner to quickly meet the relevant standards for CPS 230 is needed to realistically comply with the scale and diversity of every new rule without disrupting business relationships.
In review: This is just the latest example of a growing trend of regulators shifting compliance to include SaaS apps and mandating regulated entities to extend their risk management to include these critical applications and ensure that they are properly protected and meet resiliency standards.
In fact, the United Nations reports that 80% of nations either currently have or are drafting legislation to secure the protection and privacy of data. Multiply the compliance burden of CPS 230 to each new standard and the DIY strategy quickly falls flat.
How Obsidian Security can help with CPS 230
Minimizing the impact breaches have downstream on the larger economy puts SaaS in the hot seat like never before. Obsidian Security is uniquely positioned to bridge the gap in SaaS risk management for regulated-entities and third- and fourth-party providers specific to CPS 230 and other standards.
Our platform quickly and continuously supplies an accurate listing of SaaS apps—particularly in the case of shadow SaaS—and how they perform against compliance standards. Plus, Obsidian’s platform combines application posture with identity and data protection to prevent, detect, and mitigate threats across the kill-chain.
Harden Application Posture to Manage Risk
Ensuring each app is properly configured to the relevant controls is difficult—it takes 28 days on average to audit an individual SaaS app. Plus, teams must monitor apps over time to combat configuration drift.
The Obsidian platform quickly and continuously surfaces all apps in your environment and measures how they perform against the internal or external compliance standards you follow. Monitoring your posture with Obsidian gives security teams the ability to rapidly assess app configurations (e.g. enforcing MFA for privileged users) and remediate any risk.
SaaS Identity Security Enhances Operational Resilience
CPS 230 specifically calls out operational resiliency as a core component. Obsidian operationalizes out-of-the-box detection rules mapped to the MITRE ATT&CK framework and informed by hundreds of incident response engagements to prevent, detect, and mitigate threats.
ML-based algorithms quickly identify anomalous user behavior to stop threats, protecting your organization from service disruptions or data theft.
Conclusion
Schedule a demo to see for yourself how Obsidian Security can simplify your audits and alert your teams to novel threats other security platforms miss.