CFOtech Australia - Technology news for CFOs & financial decision-makers
Australia

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Tasneem zaveri
#
Digital Transformation
#
Encryption
#
MarTech

Beyond compliance: Building Salesforce resilience for APRA CPS 230

Sat, 22nd Nov 2025
By Tasneem Zaveri, Senior Solutions Engineer, Odaseva

Financial institutions in Australia are accelerating their digital transformation, relying heavily on cloud platforms, data systems, and third-party providers. Research shows that 99.3% of customer-bank interactions now occur via digital channels, up from 99.1% in 2024 (source: Australian Bank Association). This shift, while delivering speed and scalability, has introduced new risks. In response, the Australian Prudential Regulation Authority (APRA) introduced the Cross-Industry Prudential Standard (CPS 230) on operational resilience, effective 1 July 2025.

For CISOs, risk officers, and enterprise architects, CPS 230 is a strategic mandate to ensure operational resilience - even in the face of severe disruptions - particularly for core financial systems built on platforms like Salesforce.

The Strategic Imperative of CPS 230

CPS 230, which replaces five existing standards, mandates adherence to rigorous expectations for managing operational risk and third-party dependencies. APRA's focus, as highlighted in its 2024-25 Corporate Plan, is on ensuring entities "maintain critical financial services in a world that is becoming more interconnected and dependent on digital technologies."

While CPS 230 covers broader operational risk, it requires compliance with Prudential Standard CPS 234 Information Security (CPS 234) for managing technology risks. Together, these standards ensure the continuity of essential services and protect public access, recognising that digital infrastructure is fundamental to financial operations.

The first crucial step is identifying critical operations - processes which, if disrupted beyond tolerance levels, would materially impact customers or the financial system. Processes like loan applications, claims handling, and fund administration are all considered critical.

The growing reliance on cloud-based solutions to support such critical operations is why APRA explicitly includes Material Service Providers (MSP) in its scope. Crucially, the standard ensures that outsourcing to the cloud offers no loophole: SaaS solutions like Salesforce, when supporting critical operations, are defined as MSPs, and accountability for the resilience of these outsourced functions remains firmly with the Regulated Entity (RE) and cannot be delegated.

Navigating the Salesforce Shared Responsibility Model

Understanding and implementing the Salesforce Shared Responsibility Model is crucial for REs to enhance control and resilience.. While Salesforce secures the platform and ensures uptime, protecting data integrity and availability is the customer's responsibility.

CPS 230 significantly amplifies this, requiring REs to protect SaaS data against all risks. This includes:

  • Human Error and Misconfiguration: Everyday administrative errors, like deleting custom fields or changing picklist values, are the leading causes of data loss.
  • Automation Gone Wrong: Uncontrolled actions from bulk imports, record merges, or accidental deployment of test campaigns in production.
  • Production Change Considerations: Errors from custom Apex code or misconfigured automations deployed to a complex, live environment.
  • Failed Backups: The inherent agility of a Salesforce Org, with its constant changes to objects and features, can cause backup and restoration processes to fail if they are not actively monitored and adapted to changes that can affect the backup processes.

As APRA states, REs must manage such operational risks that result from "inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events." and that "operational risk is inherent in all products, activities, processes and systems."

Five Rules for CPS 230 Compliant Resilience

To meet the operational risk management requirements of CPS 230 without compromising speed and agility, REs must adopt an enterprise-grade Salesforce backup and restore strategy that adheres to five key principles:

1. Require an Independent Backup Provider

APRA warns against insufficient segregation between production and backup environments. Relying on the platform provider for backup creates a single point of failure where one compromise can affect both the source system and the backup.

The Mandate: Backups must be stored independently from the Salesforce production environment, ensuring robust segregation and preventing systemic failure. You can read more on this topic here.

2. Prove Restoration, Don't Just Assume It

A backup is only as good as its ability to restore. APRA requires systematic testing, stating that REs must not only maintain a business continuity plan but also test it annually, document gaps or changes, and have it regularly reviewed by internal audits.  

The Mandate: The solution must provide complete backup coverage and restore readiness, intelligently handle complex object hierarchies and circular references, and use optimal APIs to ensure fast, accurate, and auditable Salesforce restoration. 

3. Protect Security and Confidentiality

Information security (CPS 234) is central to operational resilience. APRA mandates that backups must be protected from "unauthorised access, modification or alteration." This is paramount, especially as backups are increasingly targeted by cyberattacks.

The Mandate: The solution must encrypt data at the most granular level, extending the protection offered by Shield encryption and preserving full confidentiality throughout backup and restore - ensuring the data is never exposed in clear text. You can read more about this here.

4. Monitor and Alert Proactively

Robust monitoring is foundational to operational resilience. CPS 230 mandates that REs report material operational incidents to APRA within 72 hours.

Proactive alerts - such as those triggered by mass exports, deletions, or failed backups - enable IT teams to quickly investigate anomalies and contain threats before they become compliance or continuity risks.

The Mandate: The solution must detect abnormal data changes, deletions, or failed backup jobs. Continuous monitoring and optimisation of the backup plan ensures it remains effective, within tolerance levels, and aligned with the RE's evolving operations.

5. Assess the Backup Provider for Materiality

The backup service is vital for ensuring critical operations can remain within tolerance levels during a disruption and because backups contain complete copies of data, the provider itself meets the criteria for an MSP.

The Mandate: The RE must evaluate the design of the provider's information security controls and contract with a trustworthy, compliant third-party that holds robust, independently verified security certifications (e.g., ISO 27001, SOC 2 Type II).

Finalising Your Resilience Strategy

APRA's CPS 230 is not a compliance exercise; it is a mandate for genuine operational resilience. For REs relying on Salesforce, this requires a solution that is independent, secure, tested, and continuously monitored. By committing to this rigorous approach, REs can transform CPS 230 adherence from a regulatory burden into a strategic advantage that builds a resilient foundation for all critical operations.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
2026 Predictions: The year identity becomes the ultimate control point for an autonomous world
academyEX names Glenn Elith as Group Chief Executive
Guidewire names Suresh Raman APAC regional vice president
Worldpay link lets Australians buy crypto instantly
Australian employers chase hybrid skills & purpose

Top stories

AI, compliance and security trends for 2026
ASUS wins deal to supply 8,500 Chromebooks to ACT
CMC highlights ‘Furious Five’ themes set to shape 2026
SMEs fight RBA plan to outlaw card surcharges
AI-led workplaces twice as likely to beat revenue goals