On 28 October 2025, APRA Member Suzanne Smith delivered a speech titled “A time‑tested approach for a new world of technological risks,” outlining APRA’s observations and expectations on cyber security, legacy systems, cloud and third‑party risk, data management, and the responsible adoption of AI.

Cyber security

In APRA’s latest stakeholder survey, 91% of banks, insurers and super funds rated cyber security as a critical or high risk. APRA’s program of tripartite assessments against CPS 234 identified sector‑wide weaknesses, including incomplete identification and classification of information assets and incident response plans that are not regularly tested. While progress is underway, APRA expects further uplift.

Boards must treat cyber security as a whole‑of‑business risk, not just an IT issue, with internal audit playing a central role. Key lines of inquiry include whether authentication keeps pace with evolving threats; whether basic cyber hygiene is consistently applied; whether third‑party assurance is adequate; whether testing is sufficiently frequent, broad and sophisticated; whether incident detection and response are regularly exercised and maturing; and whether comprehensive CPS 234 incident notifications are lodged promptly.

CPS 234 incident notifications

APRA expects timely notification of cyber incidents, even where information is incomplete. Recent notifications reveal recurring patterns: accidental data disclosure, often reflecting weak handling procedures and insufficient leakage controls, with heightened risk to vulnerable customers; credential compromise due to inadequate authentication, enabling credential stuffing and spraying; inadequate network monitoring and management, allowing malicious activity to persist or forcing sustained degraded operations; and service provider incidents that propagate to regulated entities, highlighting third‑party assurance gaps and the need for effective containment.

Legacy systems and digital transformation

Many banks, insurers and superannuation trustees still rely on legacy platforms built on outdated technologies. Most entities are undertaking technology transformation. To reduce transformation risk, APRA expects investment in technology management capability, realistic and funded roadmaps, workforce training, and strong communication. Internal audit should assist this process by being alert to cost-optimisation strategies that inadvertently become expensive. In other words, delaying the replacement of technology assets and a general uplift of legacy platform may come with hidden costs which eventually need to be paid.

Rapid adoption of technologies such as software as a service, AI, machine learning and blockchain can outpace skills and governance. This can produce ineffective implementations and higher risk exposure, harming customers and employees. Internal audit should ensure robust risk assessments for all digital initiatives; clear documentation of risks and controls; integration of controls into project plans; thorough testing; and updates when scope or execution change.

Cloud and third‑party concentration risk

The increasing reliance on service providers brings material operational risks. Under CPS 230 Operational Risk Management, entities must understand supply chain vulnerabilities and implement contingency plans. This includes strong contract management, rigorous risk assessment, strategic partnerships with key suppliers, and robust monitoring to assure service continuity.

APRA is closely monitoring concentration risk across cloud and other critical technology services. With many entities relying on a small set of vendors across the cloud, processors, network, software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS), APRA has collected data on material service providers to develop a system‑wide view of reliance and concentration.

Entities should independently assess and manage third‑party and concentration risks. This includes interdependency mapping and scenario testing for both complete outages and “degraded‑mode” operations. Testing should be routine, visible and realistic, covering multi‑entity and multi‑vendor failures and using clear customer outcome metrics. Internal audit should verify that tolerance levels, mapping and testing capture real failure points across first, second, third and subsequent parties, rather than relying on documentation alone.

Data management and AI

APRA observes many organisations struggle to guide data governance, including inconsistent data quality, weak traceability, limited metadata management and complex privacy obligations across jurisdictions. APRA expects regulated entities to implement comprehensive data governance, including data mapping, quality controls, strong authorisation and access management, data desensitisation where feasible, and regular audits. Privacy‑by‑design and robust breach response plans are also encouraged.

AI is an emerging focus for internal audit and changes how assurance is performed. International frameworks for emerging technologies can help balance innovation with strong controls and governance. Auditors can help by assessing oversight of AI‑generated outputs; classifying and protecting those outputs; reviewing retention and deletion controls; and evaluating data localisation and sovereignty compliance.

APRA has increased its oversight of AI practices at larger institutions, assessing risk management and oversight. It will conduct targeted supervisory engagements with selected institutions to better understand leading practices and common challenges. APRA considers the existing prudential framework—covering information security, operational risk, data risk and general risk management—sufficient to capture AI use in regulated entities.

Final message

While technology evolves, the principles of sound risk management remain constant. Auditors and compliance professionals must identify the highest‑risk areas, test whether controls are effective and escalate where risk is not being adequately mitigated.