The Australian Prudential Regulation Authority (APRA) released a departmental advisory following remarks from Member Suzanne Smith, highlighting the increasing technological risks facing Australia’s financial institutions.
APRA Member Suzanne Smith highlighted that “today’s banks, insurers and super funds aren’t simply financial services providers; they have effectively become technology companies, responsible for developing, integrating and maintaining vast systems of enormous capability and complexity and storing reams of sensitive data.”
The advisory highlights critical areas like cybersecurity, data governance, and operational resilience, stressing the significance of legacy systems, cloud storage, and reliance on third parties. This highlights immediate implications for public sector data privacy, artificial intelligence, data infrastructure, data collection, data sharing, and collaboration frameworks.
Cybersecurity governance mandates
APRA enhanced its prudential standards (CPS 230 and CPS 234) to address rising technology risks in financial institutions. Organisations must implement comprehensive data governance frameworks that include data mapping, access control, desensitisation, and ongoing audits of data quality. APRA mandates quick notifications of cyber incidents, regardless of information completeness, to boost system-level awareness.
Recent evaluations highlight ongoing deficiencies in authentication practices, oversight of third-party entities, and testing of incident response protocols across the industry. Institutions must now identify and disclose all significant service providers, assess operational dependencies, and conduct concentration risk assessments to reduce the risk of systemic disruption from cloud storage failures or technology vendor outages due to the new CPS 230 requirements.
Cybersecurity risk evidence
APRA’s October 2025 advisory establishes technology risk as a systemic threat through documented failures and sector-wide assessment data that demonstrate the financial and operational consequences of inadequate cybersecurity frameworks, legacy system dependencies, and vendor concentration across critical infrastructure.
Key Evidence:
- Cyber threat escalation reaches critical threshold – Recent surveys by APRA show that 91 percent of banks, insurers, and superannuation funds view cybersecurity as a critical or high-risk concern. This signifies a major shift in how financial institutions address technology vulnerabilities and allocate security resources across digital banking, online superannuation management, and insurance platforms that manage sensitive citizen data.
- Single vendor failure exposes systemic concentration risk – A July 2024 malfunction in the CrowdStrike software update disabled 8.5 million Microsoft Windows devices worldwide. This incident triggered simultaneous crashes in critical systems at airports, banks, hospitals, and supermarkets. It highlights the risks of relying on a few technology vendors in cloud computing, processors, and software-as-a-service, showing how issues with one provider can cause widespread failures across institutions and essential services.
- Deferred modernisation generates compounding financial penalties – South-west Airlines has paid over $600 million in refunds and reimbursements, plus a $140 million penalty from the US Department of Transportation. The collapse of its flight scheduling system in December 2022 left two million travellers stranded for ten days. Airline unions cite years of underinvestment in IT as the root cause of this failure, noting that operations relied on outdated technology unable to handle peak demand effectively.
- Legacy system vulnerabilities create persistent security gaps – APRA’s assessments indicate significant deficiencies in information security standards across the sector. Issues include poor identification and classification of information assets, weak authentication controls, inconsistent security assurances from third parties, irregular testing protocols, and incident response plans that lack practice. Vulnerabilities persist despite regulations, enabling successful credential stuffing attacks on superannuation funds.
- Data volume growth outpaces governance capabilities – Demand for AI-ready data centre capacity will surge 33 percent annually from 2023 to 2030. This rapid growth will force organisations, already struggling with data mapping, quality controls, traceability, and privacy compliance, to manage much larger datasets. They must also navigate new risks from AI-generated outputs, data aggregation economics, and potential biases in foundational models.
Check out: “APRA arms financial institutions against cyberattacks”
AI data risks
APRA highlights that the rapid growth of cloud storage and the adoption of artificial intelligence drive significant increases in both data volume and complexity.
APRA highlights “upping both the stakes and volume of data is rapid expansion in the use of AI” in Suzanne Smith’s speech on 28 October 2025.
McKinsey anticipates 33 percent annual growth in global demand for AI-ready data centre capacity from 2023 to 2030, which will place considerable pressure on infrastructure, energy consumption, and data governance frameworks. The rapid pace of change increases concentration risks, particularly when financial institutions rely on a limited number of providers for cloud storage and AI processing.
APRA cautions that organisations must enhance their oversight of data infrastructure, collaboration, and sharing practices. Without these improvements, organisations risk losing visibility over data flows, which can compromise privacy, security, and resilience in the interconnected financial and public sectors.
Digital government imperatives
The public sector faces heightened risks to its data infrastructure. Outdated legacy systems, inadequate authentication measures, fragmented data silos, and inconsistent governance practices contribute to this vulnerability. APRA identified outdated platforms that fail to meet modern standards for encryption, segregation, access control, authentication, and real-time monitoring, increasing the risk of cyber intrusions and data breaches. As citizen and transactional data increase, the shift to cloud services and the integration of AI raise these risks, resulting in possible privacy violations, regulatory issues, and operational challenges.
When a few technology providers concentrate essential services, they heighten the risk of systemic failures. Successful digital government initiatives require cohesive data governance frameworks, strong privacy measures, secure data sharing practices, and comprehensive audit capabilities to protect sensitive information. Modernising infrastructure and implementing strict oversight will boost public confidence, enhance interoperability, and reinforce the robustness of public sector services that rely on secure, collaborative, and AI-driven data environments.
Executive governance mandates
Executives must view cybersecurity as a comprehensive risk that impacts the entire organisation, making sure the board stays informed about potential threats and strategies to address them. Internal audit functions deliver assurance on CPS 234 and CPS 230 controls and validate the strength of key third-party providers. Organisations must map data flows, break silos down, implement strong authentication, and incorporate privacy-by-design principles.
Scenario testing must include failures from multiple vendors and define metrics to assess customer outcomes during reduced operational capacity. Enhance data governance, oversee cloud infrastructure, and implement AI controls to boost operational resilience, minimise concentration risks, and protect privacy in public and financial systems.
APRA’s advisory emphasises that cybersecurity, data governance, and operational resilience risks are vital to the stability of the financial and public sectors. Organisations must upgrade outdated systems and implement strong data governance measures. Improve internal audits and manage third-party concentrations to lower the risk of breaches and service interruptions.
Cloud technology, AI, and increasing data volumes require a proactive approach to governance and scenario testing. Leaders who adopt privacy-by-design principles ensure compliance and build public trust. Strong data infrastructure and careful risk management will enhance digital governance and financial services in the future.
Justin Lavadia is a content producer and editor at Public Spectrum with a diverse writing background spanning various niches and formats. With a wealth of experience, he brings clarity and concise communication to digital content. His expertise lies in crafting engaging content and delivering impactful narratives that resonate with readers.
Latest
Popular