Australian Prudential Regulation Authority begins system-wide analysis of material service providers and flags further supervisory scrutiny of AI and cyber controls

The Australian Prudential Regulation Authority (APRA) published a speech setting out its latest supervisory focus on technology-related risks across banks, insurers and superannuation trustees, with particular emphasis on uneven cyber resilience, legacy system fragility, third-party and concentration risk, and the growing intersection of data and artificial intelligence (AI). APRA signalled two near-term supervisory priorities: building a financial system-wide view of reliance on material service providers to understand concentration risk, and stepping up monitoring of AI risk management with targeted engagements at larger institutions before end-2025. APRA pointed to persistent gaps in compliance with Prudential Standard CPS 234 Information Security identified through tripartite assessments completed in 2024, including incomplete identification and classification of information assets, inadequate authentication controls, sporadic third-party security assurance, irregular testing, and incident response plans not regularly exercised. It reiterated expectations for timely CPS 234 incident notifications even where information is incomplete, and highlighted recurring incident patterns including accidental data disclosure, credential compromise enabling credential stuffing and spraying attacks, insufficient network monitoring, and incidents at service providers propagating into regulated entities. On operational resilience under Prudential Standard CPS 230 Operational Risk Management, APRA emphasised supply chain understanding and contingency planning, and noted that critical operations often depend on a concentrated set of technology vendors across cloud, processors, network and “as a service” models. APRA required all regulated entities to provide lists of material service providers by early October 2025 and has begun analysing the data, alongside encouraging firms to undertake interdependency mapping and routine scenario testing including multi-entity and multi-vendor failures and degraded-mode operations. Before end-2025, APRA will undertake targeted supervisory engagements with a group of larger institutions on AI practices and common challenges, while maintaining that existing prudential requirements cover AI use. It also flagged continued work with government and regulatory peers as critical infrastructure reforms evolve, including sector-wide incident playbooks, information sharing and coordination exercises.