You spent eighteen months getting the clauses signed. Right of audit, sub-contractor notification, breach reporting, exit assistance — all of it negotiated, all of it executed. And none of it tells you what your service providers actually expose to the open internet right now. From 2 July, that gap is no longer a procurement footnote. It is the board’s problem, in writing, under a prudential standard.
On 1 July 2026, APRA’s Prudential Standard CPS 230 Operational Risk Management takes full effect, together with the finalised amendments APRA released on 30 April 2026 and the supporting guidance in CPG 230. The same date closes the transition window: for service-provider contracts already in place, the standard applies from the earlier of the next renewal or 1 July 2026. Whichever came first has, for most entities, now arrived.
The accountability does not sit where the work does
CPS 230 is explicit on the point most easily missed: the board of an APRA-regulated entity is ultimately accountable for the oversight of operational risk management — and that explicitly includes business continuity and the management of service-provider arrangements. You can outsource the processing. You cannot outsource the accountability. When a material service provider is breached and your critical operations stop, “that was the vendor’s system” is not a position your board can take to the regulator.
The standard also forces a question many registers have never properly answered: which of your operations are actually critical? APRA does not leave it to interpretation. Unless an entity can justify otherwise, it must classify as critical operations — for an ADI — payments, deposit-taking and management, custody, settlements and clearing; for an insurer, claims processing; for a superannuation trustee, investment management and fund administration; and, for every regulated entity, customer enquiries and the systems and infrastructure that support those operations. Each critical operation needs a defined tolerance level, and a credible plan to stay within it through severe disruption — including disruption that originates inside a provider you do not control.
A clause is not a control
Here is the structural problem the standard exposes. A signed agreement is a statement of intent. It records what a provider has promised to do. It is silent on what that provider is actually doing — and silent on what they are exposing on your behalf this morning: a forgotten administrative interface, an expired certificate, a misconfigured storage bucket, credentials sitting in a public code repository, a subdomain pointing at infrastructure nobody owns any more.
The 2025 Salesloft Drift compromise made the distinction concrete. More than 700 organisations were impacted — not because their own systems were breached, but because attackers stole OAuth tokens issued to a trusted third-party integration and used them to exfiltrate data through a pre-approved door. Every one of those organisations almost certainly had a contract with the vendor. None of those contracts saw the token coming. A clause governs the relationship. It does not see the exposure.
What an external view adds — and the line it will not cross
Be clear about the limits, because the limits are the point. A passive external assessment does not touch your providers’ systems, and it never would. It cannot certify a vendor’s internal controls, and it does not pretend to. What it does is show you — and your board — the same picture an attacker assembles before choosing a target: your material providers, and your own estate, as they appear from the public internet.
What a passive assessment establishes for a CPS 230 program
- Which platforms and providers genuinely sit behind your critical operations, confirmed from public certificate, DNS and infrastructure records — including the ones missing from your register.
- Which provider-facing interfaces, login portals and services are reachable from the internet, and where that footprint is wider than the contract implies.
- Where credentials tied to your organisation or your providers already appear in public breach and infostealer data — measured as a live attack surface, not a hypothetical.
- The fourth-party surface: the suppliers your suppliers depend on, whose exposure quietly becomes yours.
None of this is a system test. It is observation, framed as risk, expressed in the language your obligations are written in. When it surfaces something that warrants attention, the output is not an alarm — it is a precise question you hand to the provider: confirm this is meant to be reachable, that it requires authentication, and that access is constrained. You own the risk; we make it visible and governable.
Get there before your supervisor does
The standard rewards entities that can demonstrate the risk is managed, not merely contracted. The difference shows up the moment something goes wrong. “We had a signed agreement” is where an awkward conversation with APRA begins. “We independently assessed what this provider exposes, rated it, assigned an owner, and acted on it” is where one ends. CPS 230 has now drawn the line between those two sentences, and put your board on the wrong side of it by default.
A BlackFlag engagement pairs a passive external assessment with the governance modelling that turns findings into a defensible position. Within days you have your material providers’ external exposure set out as rated risk with named owners, placed on a register ready to govern, and mapped to your obligations under CPS 230, CPS 234 and APP 11 — so that when the next provider incident lands, you are already governed and able to answer your board and your regulator, not reconstructing what you run while a notification clock runs against you.