APRA-Regulated Entities Embrace New Technology Amidst Cyber Threats
The increasing reliance on online systems has left many financial institutions vulnerable to the ever-evolving threat of cybercrime. With outdated legacy systems raising the risk of malfunctions and cyber breaches, most APRA-regulated entities are implementing new technologies to stay competitive and meet customer demands for service and efficiency. This shift is not without its challenges, however, as these institutions also face the daunting task of ensuring that their governance, control frameworks, and risk management evolve at the same pace.
The Crucial Role of Internal Audit
According to APRA member Suzanne Smith, internal audit plays a vital role in this technological transition. Speaking at the Financial Services and ASX Sector Assurance Forum 2025, Smith emphasized the need for internal audit to step up their efforts to ensure that these changes do not compromise the institutions’ security and integrity. She warned that the integrity of internal audit will be tested as financial institutions become increasingly targeted by sophisticated cybercriminals.
The Cyber Threat Landscape
Cybercriminals employ a range of tactics, including ransomware, AI-enhanced malicious activities, phishing, and supply chain attacks, to breach the defenses of financial institutions. Smith reminded the industry that while the majority of these attacks are thwarted, a single successful breach can threaten customer data, money, and even the financial and operational resilience of entire institutions.
The State of Cyber Resilience
While APRA-regulated entities have taken steps to enhance their cybersecurity in the six years since APRA’s first prudential standard on information security, CPS 234, took effect, gaps still remain. Smith noted that a series of tripartite assessments of compliance with CPS 234 revealed sector-wide deficiencies, including inadequate authentication controls and irregular testing. Since the completion of the assessments, APRA has been working with entities to address these issues.
The Challenge of Legacy Systems
Many of the banks, insurers, and superannuation trustees APRA supervises rely heavily on legacy systems, which are often built on outdated software and hardware. These systems are typically less resilient to cyber threats and often fall short of modern requirements for encryption, user access, and real-time monitoring. Furthermore, entities often face difficulties sourcing components or skilled professionals to maintain these systems, which increases the risk of outages that may impede their ability to meet obligations to customers.
The Way Forward
Despite these challenges, Smith emphasized that progress is being made in enhancing cyber resilience. However, she stressed that more work needs to be done to keep pace with the increasing sophistication of cyber threats. While the journey is ongoing, the adoption of new technologies and the reinforcement of internal audit processes will play a crucial role in ensuring that APRA-regulated entities can effectively manage these risks and maintain their competitiveness in the long term.
Read more about this topic Here.
