Australian Prudential Regulation Authority warns on geopolitics and cyber risks and readies industry for CPS 230 go live on 1 July

The Australian Prudential Regulation Authority (APRA) used a speech on operational resilience to highlight how rising geopolitical tensions, deeper technology dependence and growing reliance on third-party providers are converging to increase disruption risks for banks, insurers and superannuation funds. It set out how APRA and the Council of Financial Regulators (CFR) are responding through the imminent implementation of Prudential Standard CPS 230 Operational Risk Management, strengthened cyber expectations and a new CFR geopolitical work program. CPS 230 is positioned as a step-change in entities’ ability to identify supply chain vulnerabilities and plan for disruptions, building on APRA’s existing risk management and information security standards and replacing the soon-to-be-superseded outsourcing and business continuity standards. In cyber, APRA pointed to recent incidents including credential stuffing attacks affecting superannuation funds and noted that baseline cyber resilience is not yet where it needs to be, citing a recent letter to all superannuation funds calling for robust authentication controls and faster, more holistic deployment of multi-factor authentication or equivalent controls for high-risk activities and privileged access. System-wide monitoring will continue via the CFR, which has commenced work on a geopolitical program alongside related initiatives including CPS 230 implementation and new crisis management powers for financial market infrastructure. CPS 230 is scheduled to commence on 1 July, with certain requirements for non-Significant Financial Institutions (non-SFIs) deferred until 1 July 2026.