-
Q: What is CPS 230?
A: CPS 230 is an Australian Prudential Standard designed to strengthen operational risk management and resilience across the Australian financial sector.A: CPS 230 is an Australian Prudential Standard designed to strengthen operational risk management and resilience across the Australian financial sector. The regulation took effect on July 1, 2025.
-
Q: What entities are subject to CPS 230?
A: CPS 230 applies to APRA-regulated entities, specifically Authorized deposit-taking institutions (ADIs), General insurers, Life insurance companies, Private health insurers, and Registrable Superannuation Entity licensees (RSE licensees).A: CPS 230 applies to APRA-regulated entities, specifically:
- Authorized deposit-taking institutions (ADIs)
- General insurers
- Life insurance companies
- Private health insurers
- Registrable Superannuation Entity licensees (RSE licensees)
-
Q: What is expected of a regulated entity under CPS 230?
A: Entities subject to CPS 230 are expected to effectively manage operational risks, maintain critical operations during severe disruptions, and manage risks arising from material service providers.A: Entities subject to CPS 230 are expected to:
- Effectively manage operational risks,
- Maintain critical operations during severe disruptions, and
- Manage risks arising from material service providers.
-
Q: Is Proofpoint regulated by CPS 230?
A: No, Proofpoint is not a regulated entity under CPS 230.A: No, Proofpoint is not a regulated entity under CPS 230. Rather, Proofpoint is a third-party provider from which a regulated entity receives services. Regulated entities are required to monitor their third-party service provider relationships to meet their operational risk management requirements. The level of oversight depends on whether the provider is a material or non-material service provider.
-
Q: What is the difference between a material and non-material service provider under CPS 230?
A: A non-material service provider is one that does not support the regulated entity’s critical operations or pose material operational risk.A: A non-material service provider is one that does not support the regulated entity’s critical operations or pose material operational risk. Conversely, a service provider is considered material if it provides services that are essential to the regulated entity’s critical operations or exposes the entity to material operational risk.
-
Q: What is a critical operation under CPS 230?
A: A critical operation is a process or function that is so important that its disruption or failure would have a material adverse impact on the regulated entity’s customers or its role in Australia’s financial system.A: A critical operation is a process or function that is so important that its disruption or failure would have a material adverse impact on the regulated entity’s customers or its role in Australia’s financial system.
-
Q: Does a customer’s use of Proofpoint’s services relieve it from their regulatory obligations under CPS 230?
No. Proofpoint’s customers are required to ensure that they meet their own regulatory obligations.A: No. Proofpoint’s customers are required to ensure that they meet their own regulatory obligations.
-
Q: How can Proofpoint help organizations meet their obligations under CPS 230?
Proofpoint offers a range of cybersecurity and compliance solutions that can help its customers protect themselves from cybersecurity threats, insider risks, supply chain vulnerabilities, and other operational risks.A: Proofpoint offers a range of cybersecurity and compliance solutions that can help its customers protect themselves from cybersecurity threats, insider risks, supply chain vulnerabilities, and other operational risks.
-
Q: What information can Proofpoint provide to its CPS 230 regulated customers to help satisfy their third-party oversight requirements?
Subject to a non-disclosure agreement, as applicable, and in its sole discretion, Proofpoint may provide various types of documentation.A. Subject to a non-disclosure agreement, as applicable, and in its sole discretion, Proofpoint may provide:
- A copy of the customer’s governing terms and conditions
- A copy of the applicable SLAs
- Relevant policies and procedures
- Relevant security certifications
- Appropriate reporting, testing, or auditing results
For additional information regarding Proofpoint’s products and services please see Proofpoint.com and its Trust site.
© 2025 Proofpoint. All rights reserved. The content on this site is intended for informational purposes only.
Last updated November 26, 2025.
Proofpoint Trust
Proofpoint helps companies protect their people from the ever-evolving threats in the digital ecosystem.
