With the introduction of APRA CPS 230, Australian insurers face a new regulatory environment that prioritises proactive risk management, operational resilience and third-party oversight. 

Beyond compliance, CPS 230 establishes a structured framework for insurers to strengthen risk management, ensuring they can maintain critical operations during disruptions. The new standard also reinforces board and senior management accountability, requiring leadership teams to set clear risk tolerance levels, monitor vendor dependencies, and oversee business continuity measures.

To help insurers navigate the transition, Lizzi Long, General Manager of Data Centres and Business Continuity at Interactive, shares key insights on what the new standard entails and how to prepare effectively.

The new requirements being introduced

CPS 230 introduces clear expectations for how insurers must manage operational risk. The emphasis is on real-time operational continuity rather than just recovery. This means:

• Boards and senior management must take direct responsibility for setting, maintaining and reviewing tolerance levels for disruptions.
• A shift from reactive recovery planning to proactive operational resilience, ensuring businesses can continue functioning even during severe disruptions.
• Tighter oversight of third-party risks, requiring insurers to formalise vendor agreements, conduct regular compliance checks, and maintain an APRA-submitted register of material service providers.

To meet these requirements, insurers will need to integrate CPS 230 compliance into their risk frameworks, governance structures, and operational policies.

Here is how they can be addressed:

Assessing operational risks and tolerance levels

To meet CPS 230 standards, insurers should conduct a comprehensive assessment of operational risks. This involves:

• Identifying critical operations, such as IT systems, customer support, operational processes, key personnel dependencies and claims processing.
• Defining acceptable downtime thresholds, ensuring that service disruptions remain within set limits.
• Establishing minimum service levels to protect policyholders and prevent significant business impact.

APRA requires insurers to clearly define tolerance levels for each critical operation by assessing:

• The maximum period a function can be disrupted before it causes financial or reputational harm.
• The level of service degradation that is still acceptable in a crisis situation.
• The specific recovery objectives that must be met within those limits.

Regular scenario testing and industry benchmarking can help insurers validate whether their tolerance levels are realistic and practical under real-world conditions. Insurers should also periodically review and adjust these levels based on emerging risks and operational changes.

Updating business continuity plans

Under CPS 230, Business Continuity Plans (BCPs) will need to evolve from simple recovery strategies to dynamic, in-the-moment operational continuity. 

Insurers will need to:

• Develop real-time response strategies that allow them to operate through crises rather than just recover afterwards.
• Conduct annual business continuity testing with severe but plausible crisis scenarios, including cyberattacks, supply chain failures, and operational outages.
• Ensure senior management is actively involved in crisis response, not just post-event recovery.

APRA expects insurers to regularly review and refine their business continuity plans, ensuring they remain practical and aligned with current risk environments.

Managing third-party risks under CPS 230

CPS 230 places increased responsibility on insurers to monitor their vendors and third-party service providers. To comply, insurers must:

• Establish a formal vendor risk management policy, defining clear expectations for third-party providers.
• Maintain a register of material service providers and submit it to APRA annually. 
• Include contractual clauses that require vendors to meet CPS 230 compliance standards, allowing for regular performance audits and the right to terminate agreements if risks arise.

Given the increasing reliance on third-party providers for core insurance operations, insurers should also have contingency plans in place to mitigate disruptions if a vendor fails to meet regulatory or performance standards.

Maintaining compliance long term

CPS 230 introduces strict reporting obligations to enhance transparency and accountability. Insurers must:

• Notify APRA within 24 hours if an operational disruption exceeds tolerance levels.
• Conduct internal audits and risk assessments, ensuring compliance gaps are identified and addressed.
• Maintain structured governance frameworks with clear processes for risk monitoring and escalation.

If APRA identifies weaknesses in an insurer's operational risk management, it may require remediation programs, impose additional capital requirements or increase regulatory oversight. 

Integrating ongoing monitoring, staying in close communication with APRA and staying updated on any regulatory changes will be essential for long-term compliance.

Building a culture of resilience 

CPS 230 is a chance for insurers to build a culture of resilience. It's not just a checklist. Taking these new guidelines seriously can not only enhance compliance but also lead to stronger customer trust and a more adaptable business overall. If insurers use CPS 230 as a framework to continually assess and improve their resilience strategies, they'll be better positioned to handle whatever challenges come their way in the future.

Interactive is here to help. With expertise in business continuity, disaster recovery, cyber security, and risk management, Interactive provides tailored solutions that support insurers in meeting CPS 230 requirements while improving operational resilience.

To learn more about preparing for CPS 230 or to book at tour, visit Preparing for APRA CPS 230.