You may have seen some references lately to CPS 230 – a new regulation being introduced by APRA (the Australian Prudential Regulation Authority). While it’s aimed at banks, insurers and super funds, it’s set to have flow-on effects for advisers, especially those working in risk advice.
Even if you’re not directly subject to these rules, they’ll change how insurers and platforms operate – and that means the way you engage with them may shift too.
This article breaks it down simply – what’s happening, why it matters, and what you should start thinking about to stay aligned and avoid disruption.
What Is CPS 230 (In Plain English)?
CPS 230 is about making sure financial institutions are better prepared for operational risks – including system failures, cyber incidents, and disruptions caused by third parties. It takes effect from 1 July 2025 and brings together previous rules on outsourcing, risk management, and business continuity.
Institutions need to prove they’ve got tight control over their systems, their service providers, and their ability to continue critical operations if something goes wrong.
That includes advisers.
So Why Does This Affect Me as an Adviser?
You might not be APRA-regulated, but your work is closely tied to institutions that are – especially insurers. Here’s how their response to CPS 230 could impact your day-to-day:
Portal Access May Get Stricter
Expect stronger, clearer control over who can access client data, and possible limitations on secondary users or outsourced admin staff.
→ If your team shares login credentials, this will likely need to change.
Data Sharing Processes May Tighten
Advisers often move client data manually – via email, PDF, or uploads. But CPS 230 puts pressure on insurers to clean this up, so expect changes to how information is exchanged.
→ Think about where your data comes from, how you send it, and who has access.
You Might Be Asked to Show Your Controls
As insurers shore up their own risk management, they may start asking questions of the advisers they work with – particularly those with direct access to platforms or sensitive client data.
→ Having a basic plan for how you manage access, passwords, staff onboarding/offboarding, etc. will help.
The Opportunity for Advisers
Rather than seeing this as compliance noise, this is a great time to tighten the ship. With so much of our work relying on client trust and data security, CPS 230 is a prompt to check your own risk and continuity planning.
Here’s where Fraser Jack from The Cyber Collective adds some insight:
“Many advisers – especially small practices – still don’t have structured onboarding or offboarding processes for team members. Shared logins, weak passwords, and untracked access are common. These are simple things that, if fixed, massively reduce risk.”
Fraser works with practices to implement easy-to-follow frameworks – not just for compliance, but for making sure teams are confident and consistent in their day-to-day habits.
“This isn’t just about IT – it’s about building good behaviours across the team, including mandatory ongoing training. Advisers handle some of the most personal and sensitive data out there, so the bar needs to be higher than it is today.”
In March 2025 ASIC specifically called attention to the lack of mandatory cybersecurity awareness training in the case against FIIG Securities. Link here -> ASIC sues FIIG Securities for systemic and prolonged cybersecurity failures
A Working Relationship That Matters
From my perspective, one of the big risks is that as insurers start tightening controls to meet CPS 230, they may unintentionally make life harder for advisers – especially if access to systems becomes restricted, or processes get more complex.
There’s a real need for insurers and advisers to work hand-in-hand on this. Systems need to be modern, secure and adviser-friendly, with clear communication and support through any changes.
At the same time, advisers need to do their part – having clean processes, secure habits, and an understanding of how operational risk flows through their business.
Where to from here?
- Start by reviewing who has access to your systems, and whether those access points are secure.
- Think about how your team handles client data – is it trackable, and are good habits in place?
- Talk to the providers you deal with – are they planning any changes you need to prepare for?
And if you’re unsure where to start, Fraser’s team at The Cyber Collective offers structured support and training that makes it practical – not overwhelming.
Want to know more about getting your practice in shape before CPS 230 hits?
Drop us a line or connect with Fraser via The Cyber Collective – let’s make sure you’re ahead of the curve.
Quick CPS 230 Readiness Check
-
Are all logins individualised?
-
Do you onboard/offboard staff with clear steps?
-
Do you know where client data is stored?
-
Are your providers planning CPS 230 changes?