The Australian Prudential Regulation Authority published a speech setting out its supervisory focus on technology-driven risks across banks, insurers and superannuation trustees, and called on internal audit to provide independent, risk-based assurance over cyber, operational resilience and data controls. APRA reported that cyber risk remains the top concern in its stakeholder survey and pointed to persistent shortcomings in the sector’s implementation of Prudential Standard CPS 234 Information Security, alongside vulnerabilities from legacy systems and increasing reliance on third-party technology providers. Tripartite CPS 234 compliance assessments that concluded in 2024 found incomplete identification and classification of information assets, inadequate authentication controls, sporadic third-party security assurance, irregular testing, and incident response plans not regularly exercised. APRA reiterated expectations for timely CPS 234 incident notifications and cited recurring patterns including accidental data disclosure, credential compromise enabling credential stuffing and spraying, insufficient network monitoring, and service-provider incidents spilling into regulated entities. The speech also linked third-party and concentration risk to CPS 230 Operational Risk Management expectations on supply chain understanding, contract management, monitoring and contingency planning, and highlighted the need for routine interdependency mapping and scenario testing, including degraded-mode operations and multi-vendor failures. To build a financial system-wide view of service-provider reliance, APRA required entities to submit lists of material service providers by early October and has begun analysing the data. On artificial intelligence, APRA said it has stepped up monitoring by reviewing practices at some larger institutions and will undertake targeted supervisory engagements with a group of larger financial institutions before end-2025, while maintaining that existing prudential standards and guidance are sufficient to capture AI-related risks.
Australian Prudential Regulation Authority 2025-10-28
Australian Prudential Regulation Authority highlights CPS 234 cyber resilience gaps and intensifies focus on third-party concentration and AI governance
The Australian Prudential Regulation Authority (APRA) emphasized its focus on technology-driven risks in banks, insurers, and superannuation trustees, highlighting cyber risk as a top concern. APRA noted shortcomings in implementing Prudential Standard CPS 234, including asset identification, authentication controls, and incident response plans. It stressed timely incident notifications and linked third-party risks to CPS 230 expectations. APRA is analyzing service-provider reliance data and increased monitoring of AI practices, asserting current standards adequately address AI-related risks.