Understanding APRA's Prudential Standard CPS 230 and the role of Software Escrow

 

The Australian Prudential Regulation Authority (APRA) has introduced the Prudential Standard CPS 230 Operational Risk Management (CPS 230), a standard aimed at supporting operational risk management across the financial services sector in Australia. The new standard, which comes into effect on 1st July 2025, highlights the importance of resilience, enhancement of risk management practices and effective operational controls.

For companies looking to comply, integrating software escrow, also known as source code escrow or code escrow, can be a strategic option as part of a risk management governance and practices. This article explains how CPS 230 will impact Australian businesses within the financial services sector and why software escrow is a crucial compliance solution.

Understanding CPS 230

CPS 230 is designed to enhance the management of operational risks within APRA-regulated entities, which include banks, insurance companies and superannuation funds. The key objectives of CPS 230 are to:

  1. Strengthen Operational Risk Management: New requirements to address identified weaknesses in existing controls.  
  2. Improve Business Continuity Planning: Ensure entities are well positioned to respond to severe disruptions.
  3. Enhance Third-Party Risk Management: Appropriately manage risks from material service providers.

APRA finalised the standard following industry consultation that commenced in July 2022. The new standard will commence from 1st July 2025. 

The Role of Software Escrow

A typical software escrow agreement involves a three-party arrangement between a software company (the depositor), the end user company (beneficiary) e.g. a bank, and the software escrow company. The objective of a software escrow agreement is to provide comfort to a beneficiary that if the software vendor is unable or unwilling to support the product, the software assets and other critical components such as databases, deployment scripts and documentation can be used to continue operations.

The software vendor deposits the materials with the software escrow company, which can be utilised for continuity purposes if required, based on the terms of the agreement. The inclusions and options for a software escrow agreement has developed to appropriately be in line with changes in the delivery of software. From when software was traditionally deployed on-premise, software escrow supports the SaaS model too (SaaS Escrow) with various options for mitigating associated supplier risks.

Escrow London can help APRA-regulated entities with their risk mitigation strategies in the following ways:

  1. Mitigating Third-Party Risks: CPS 230 requires entities to manage risks associated with third-party providers, this could include supplier failure for example. By placing their critical software, assets and data in a secure repository held by the software escrow company, they can mitigate the risk of vendor failure, such as insolvency or bankruptcy, ensuring business continuity and operational resilience.

  2. Ensuring Access to Critical Systems: In the event of a vendor disruption, having an arranged software escrow agreement in place means companies retain access to essential software and production cloud environments, aligning with CPS 230’s requirement for operational continuity. When choosing a software escrow solution, financial institutions must consider the appropriate service level required based on the specific risks they aim to address.

  3. Supporting Incident Management: Effective incident management is a core aspect of CPS 230. Software escrow and continuity services can be a safeguarding tool, enabling companies to quickly regain control over their systems, IP, or data in case of an incident, thereby reducing downtime and minimising operational impacts. According to a report by IBM around the cost of data breaches, they found the global average cost of an unplanned IT/Software outage for businesses in the financial services sector is around USD $467,000 per hour, therefore highlighting the crucial need for ensuring risk mitigation.

  4. Demonstrating Due Diligence: Utilising software escrow services demonstrates a proactive approach to risk management, showcasing to regulators that the company has taken the correct steps to protect against software-related operational risks and verified and tested the solutions.

Implementing Software Escrow for Compliance

To integrate software escrow as part of your CPS 230 compliance strategy, consider the following steps:

  1. Identify Critical Software and Material Outsourced Solutions: Determine which software applications are critical to your operations and pose a significant risk if unavailable and identify associated risks.

  2. Engage a Reputable Software Escrow Company: Choose a trusted software escrow company that can advise you on defining a best fit solution for the desired outcomes.

  3. Establish Clear Terms: Work with your software escrow provider and software vendor to define the conditions under which the escrowed materials can be released and utilised. These terms should align with your business continuity plans and CPS 230 requirements.

  4. Regular Updates and Verification: Ensure that the escrowed materials are up to date with regular and automated deposits and then verified to reflect the current version of the software. This guarantees that the materials are accurate and usable in case of a trigger release either by the beneficiary or by the software escrow company such as with Escrow London’s managed continuity services.

  5. Integrate into Risk Management Framework: Incorporating software escrow into your broader operational risk management framework, complements a holistic approach to supplier risk mitigation.

Which Escrow London Approaches Help To Comply With CPS 230?

There are various options for software escrow and SaaS escrow depending on how the software is hosted and its complexities. Escrow London’s solutions are aimed at providing tangible outcomes that are tested to ensure they would work as expected if ever required to be invoked. These include:  

Software Escrow / Source Code Escrow – providing access to critical software assets and data in a default event with a supplier.

SaaS Access Continuity – access credentials to a single tenanted cloud environment deposited into escrow that can be used to provide the beneficiary access to the existing system and perform a transfer of ownership of cloud accounts, such as in subscriptions in AWS.

Managed SaaS Continuity a) the software escrow company can manage the release event process by redeploying a version of the software in a new escrow environment and managing on behalf of the beneficiary for a period of time.

Managed SaaS Continuity b) the software escrow company can manage a running DR environment that can be migrate over to following a default on behalf of the beneficiary

Conclusion

To safely keep up with the growing demands for cloud based and third-party solutions, there is a global trend enforcing companies to have a better understanding of their supply chain, associated risks and manage them as they would their own internal systems. Coupled with a significant rise in the number of insolvencies for technology companies and suppliers, regulators are trying to get to grips with how they allow financial institutions to utilise and benefit from cloud technologies but in a measured and safe way.

Similar to PRA’s SS2/21 in the UK, APRA’s CPS 230 specifically sets a high bar for operational risk management, pushing Australian financial entities to enhance their resilience and risk controls and incorporating wider critical services into the regulations with updated definitions. Some of our clients have advised that the new regulations and updated definitions mean that additional third-party services now fall under the requirements. This means they need to implement appropriate risk mitigation measures across a wider group of systems so regulations and necessary requirements should be reviewed accordingly.

By incorporating software escrow into their compliance strategy, financial companies can safeguard against supplier related disruptions, ensuring they meet the stringent requirements of CPS 230. As the regulatory landscape continues to evolve, proactive measures like software escrow will be key to maintaining operational stability and regulatory compliance. By understanding and leveraging the benefits of software escrow, financial institutions can not only comply with aspects of CPS 230 but also safeguard their businesses against future uncertainties.

 

##

About Escrow London

Escrow London is a global software and SaaS escrow company with offices in Sydney, Australia and London, UK. Our North American division called The Escrow Company, is based in Atlanta, US.

We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud hosted SaaS applications. We support a wide range of clients includes major law firms, banks, central banks, insurance companies, technology companies and government organisations.

For more information on ensuring your business is CPS 230 compliant, please contact our local software escrow consultants in Sydney by clicking here.

To find out more about Escrow London and our software escrow and SaaS continuity escrow solutions, visit our YouTube channel.