The Australian Prudential Regulation Authority (APRA) used a speech on operational resilience to warn that a more volatile geopolitical environment is amplifying technology, third-party and insider-related operational risks, and to outline how regulators and industry are strengthening preparedness to protect continuity of critical financial services. APRA highlighted three converging headwinds: deeper reliance on technology and exposure to cyber disruption, increasing dependence on third parties including offshore service providers, and geopolitical shifts that can intensify cyber and other operational threats while also creating less traditional risk channels such as sanctions compliance and malicious insiders. It pointed to the forthcoming implementation of CPS 230 Operational Risk Management, which will apply to banks, insurers and superannuation funds and is intended to improve visibility of supply chain vulnerabilities and require contingency planning and monitoring for disruptions, building on and replacing CPS 231 and CPS 232 while sitting alongside CPS 220 and CPS 234. On cyber preparedness, APRA said baseline resilience across many regulated entities is not yet sufficient and noted it had written to all superannuation funds to reinforce robust authentication controls, including faster and more holistic implementation of multi-factor authentication or equivalent controls for high-risk activities and privileged access. At the system level, APRA noted the Council of Financial Regulators (CFR) is monitoring vulnerabilities that could amplify instability and has commenced a geopolitical work program to support resilience, alongside initiatives including CPS 230 implementation and new crisis management powers for financial market infrastructure. CPS 230 is scheduled to go live on 1 July 2025, with certain parts delayed for non-Significant Financial Institutions until 1 July 2026; APRA also reiterated its commitment to review the framework distinction between Significant Financial Institutions and non-SFIs as part of maintaining a proportional approach.
Australian Prudential Regulation Authority 2025-06-18
Australian Prudential Regulation Authority sets out operational resilience priorities ahead of CPS 230 go-live amid rising geopolitical and cyber risk
The Australian Prudential Regulation Authority (APRA) emphasized heightened operational risks from geopolitical volatility, technology reliance, and third-party dependencies, highlighting the forthcoming CPS 230 Operational Risk Management framework effective 1 July 2025. APRA stressed the need for improved cyber resilience and contingency planning, with the Council of Financial Regulators monitoring systemic vulnerabilities and supporting resilience initiatives.