APRA Member Suzanne Smith - Speech to Financial Services and ASX Sector Assurance Forum 2025

Key points

Good morning. I’m very pleased to be here at this event for the first time.

Australia’s financial services industry, as we recognise it today, was arguably born on the 8th of April 1817 in a house rented from an ex-convict in Macquarie Place – just 500 metres from where we are now. The newly created Bank of New South Wales printed notes with the same press used to publish the colony’s daily newspaper. A bank note issued on that first day of business, now owned by the Australian Museum, is hand numbered and personally signed by both the cashier and the president of the bank. It’s made out for a sum of “10 shillings sterling.”¹

Our first bank had no electricity or telephones. The only webs were in the rafters and the only thing stored in clouds was rain – itself a valuable commodity in a colony still dependent on the heavily polluted Tank Stream for fresh water. Yet it made a valuable contribution to economic development in a settlement where rum, barter and “IOUs” had been the predominant currencies for much of its brief history to that point.

In contrast, today’s financial services companies possess a level of technological sophistication that was barely imaginable a few decades ago, let alone in the early 19th century. A news article in the Financial Review from 1996, for example, describes Australians taking to telephone banking “like a duck to water” but warns there are doubts they will do the same with internet banking!²

In the years since, technology has become ever more integrated into the business models of APRA-regulated entities, whether it be “tap and go” payments, super members accessing their balances on their phones or insurers using drones to assess property damage in the aftermath of a bushfire or flood. Today’s banks, insurers and super funds aren’t simply financial services providers; they have effectively become technology companies, responsible for developing, integrating and maintaining vast systems of enormous capability and complexity and storing reams of sensitive data.

The innovations now available to these institutions and their customers have delivered amazing benefits in terms of efficiency and convenience. But they have also brought significant risks that need to be managed in areas such as cyber risk, operational risk and data risk. Amplifying the challenges is the speed of modern technological change as each innovation makes others possible in turn. The dawn of the artificial intelligence age promises to turbo-charge that process further, amid predictions our economy – perhaps even society – may be drastically altered in coming years by super-intelligent AI.

While technology may assist internal auditors and other risk professionals to do their jobs, the basic principles of good risk management haven’t changed. As a company’s third line of risk management defences, it’s vital that internal auditors continue to probe, ask questions and speak up with an “outside-in” perspective. Just as importantly, boards and senior managers need to heed that voice and take action when material gaps in controls are identified.

Cybersecurity

When I mention technology-related risks associated, I suspect many of you immediately think of cyber security. In APRA’s most recent stakeholder survey, it was nominated as the number one concern with 91 per cent of banks, insurers and super funds describing it as a critical or high risk.

The ongoing rise in digital banking, online superannuation management and digital insurance platforms has led to an expanded attack surface for those with malign intent. Our financial institutions are relentlessly targeted by sophisticated cybercriminals, employing tactics including ransomware, AI-enhanced malicious activities, phishing and supply chain attacks. While the vast majority of these attacks are repelled, it only takes one successful breach to threaten customer data and money and the financial and operational resilience of entire institutions and market stability.

Six years after APRA’s first prudential standard on information security, CPS 234, took effect, all APRA-regulated entities take cyber security with the seriousness you’d expect. However, looking across the financial system, the level of cyber resilience remains uneven and persistent gaps remain. A program of tripartite assessments of compliance with CPS 234, which wrapped up last year, revealed sector wide deficiencies. These included incomplete identification and classification of information assets, inadequate authentication controls, sporadic third-party security assurance, irregular and inconsistent testing, and incident response plans not regularly tested with exercises. Since completing the exercise, we’ve been working with entities to close these gaps. While progress is being made, much more uplift is required, as evidenced by the credential stuffing attacks on superannuation funds mid-year. The cyber resilience journey is never done and must continue to evolve to match the increasing sophistication of the threats.

We’ve made clear that cyber needs to be treated by the board as a whole-of-business risk, and not just at IT issue, and internal audit has a vital role here. Pointed lines of inquiry include:

• Has authentication strength matched the increasing threats?
• Are basic cyber hygiene protocols being followed?
• Has adequate third-party assurance been undertaken?
• Is testing sufficient in terms of frequency, coverage and technique?
• Has incident detection been exercised and has response maturity been tested; and
• Are detailed CPS 234 incident notifications being lodged promptly?

This last point is one I want to stress. APRA-regulated entities are required to notify us in a timely manner, even if the organisation does not have perfect information about the incident. These notices are an important means of ensuring APRA has a clear view of cyber issues at both an entity and system-level. Some incident patterns we’ve observed through these notifications are:

• accidental data disclosure, such as sensitive customer reports being distributed to the wrong recipient. This highlights weak data handling procedures, inadequate data leakage limits and lack of compensating controls while at the same time as putting vulnerable persons at risk of harm, particularly where domestic violence is involved;
• credential compromise and a lack of strong authentication. This is enabling credential stuffing and spraying type of attacks to be more effective than they should be, testing entities’ detection and response maturity;
• insufficient network monitoring and management capabilities. This allows malicious network activity to either remain undetected for an excessive amount of time or limits capabilities to adjust to malicious activity in a manner which allows continued customer service; and
• service provider incidents. These include exposures in service providers spilling into regulated entities, underscoring third party assurance gaps as well as the effectiveness of techniques to limit contagion.

These are not edge cases, they are repeatable patterns that call for broad visible controls, disciplined testing, and timely APRA notifications.

A difficult legacy

While the explosion in digital financial technologies has opened up new opportunities for cyber adversaries to exploit, old technologies bring their own set of vulnerabilities.

Many of the banks, insurers and superannuation trustees APRA supervises rely heavily on legacy systems, which are often built on now outdated software and hardware. These systems are typically less resilient to cyber threats as they often fall short of modern requirements for encryption, segregation, user access, authentication, and real-time monitoring. Entities frequently face difficulties sourcing components or skilled professionals to maintain these systems, which increases the risk of outages that may impede their ability to meet obligations to customers. They also face challenges in integrating legacy systems with modern digital channels, affecting the agility of business models and their long-term competitiveness.

With modern financial service consumers demanding fast, seamless transactions available at any hour of the day, including the latest mobile apps, online services and other digital tools, almost every entity I visit is undertaking some sort of technological transformation. These transformation programs are typically expensive, complex, and fraught with logistical, financial, and even ethical challenges.

To help avoid these transformations going awry, APRA expects entities to invest appropriately in technology management capability, budgeted technology roadmaps, staff training and communication to minimise risks as they transition legacy systems to more modern platforms. One of the key responsibilities internal audit has is making sure the fundamentals are in place, particularly with respect to workforce planning, employee engagement and the delivery of digital transformation initiatives.

Internal audit should also be alert to cost-cutting and cost optimisation strategies designed to maintain profitability that inadvertently become very expensive. Delaying the replacement of technology assets, for example, often comes with hidden costs which eventually need to be paid. One company that paid highly was America’s Southwest Airlines, which suffered a meltdown of its flight scheduling system in December 2022 that left more than two million travellers stranded over 10 days. Unions pointed to years of underinvestment in IT, leaving the airline reliant on “antiquated” technology that became completely overwhelmed at one of the busiest times of the year. In addition to paying out more than $US600 million on refunds and reimbursements, Southwest was fined $US140 million by Federal authorities, plus lost revenue and additional labour costs.³ Internal audit can and should provide clarity on the potential hidden costs of holding onto legacy systems so they are not overlooked in the hunt for short term savings.

As companies undertake their modernisation journeys, operational readiness, including staff capability and robust testing, is central to maintaining service standards and managing customer impacts. APRA has observed that the accelerated adoption of technologies such as software as a service, AI, machine learning or blockchain, can sometimes outpace internal skills and governance frameworks. This can lead to ineffective implementations and increased risk exposure, as well as negative outcomes for customers and employees. Internal audit can play a role here by ensuring thorough risk assessments are conducted for all digital initiatives; and that risks and controls are documented and implemented, incorporated into project planning, tested, and updated when there are changes to the project scope and execution.

Clouds and crowds

As the costs and complexity of developing and maintaining the modern technological infrastructure needed in financial services grow, companies are becoming more dependent on third-party service providers. This increased use of service providers carries its own risks, which APRA has spoken about extensively in relation to our new prudential standard, CPS 230 Operational Risk Management. In particular, lack of transparency and control over crucial operations can create significant financial and operational threats if not adequately managed. For example, dependency on the cloud and movement of workloads to the cloud environment has exponentially increased third-party and concentration risk, data security and privacy concerns.

Consequently, CPS 230 requires entities to have a comprehensive understanding of their supply chain vulnerabilities and develop contingency plans to mitigate potential disruptions. This includes strong contract management, conducting thorough risk assessments, establishing strong partnerships with key suppliers and implementing robust monitoring mechanisms to ensure continuity of operations.

One concern APRA is playing close attention to is concentration risk. Across banking, insurance and superannuation, critical operation delivery often hinges on a concentrated set of technology vendors in areas such as the cloud, processors, network, software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). That means if one of these technology providers fails, even temporarily, they can potentially take down services at every company relying on their services. The best-known example of this from recent history was last July’s Crowdstrike outage which disabled 8.5 million Microsoft Windows devices worldwide, taking down critical systems at airports, banks, hospitals and supermarkets.⁴

To better understand this risk, APRA asked all its regulated entities to submit a list of their material service providers by the beginning of this month. We have now begun analysing the data to develop a financial system-wide view of entities’ reliance on third party service providers and where particular concentration risks may lie. As finance, telecommunications, emerging technologies, and platforms increasingly converge, APRA will continue to engage with Government and regulatory peers as the Critical Infrastructure reforms evolve further. Our focus will remain on shaping sector-wide incident playbooks; improving information sharing; and participating in exercises that test industry coordination with government regulatory agencies including the Council of Financial Regulators.

Entities should be undertaking their own work independently to address third-party and concentration risk. This includes undertaking service interdependency mapping and credible scenario testing involving both complete failures and “degraded-mode” operations. These need to be routine and broadly-visible – not “once and done”. Auditors should look for scenario design that includes multi-entity, multi vendor failures, and for clear customer outcome metrics when operating in contingency modes. Your checks need to go beyond checking documents to properly validating whether tolerance levels, mapping, and testing, truly capture real points of failure across first, second, third, and further, parties.

Data surge

Widespread use of cloud storage across APRA-regulated industries is closely related to another rising technology-related challenge – data risk. This isn’t a new risk, but it’s one that is growing if for no other reason than the volume of data that companies generate each year keeps expanding.

The proliferation of customer data across digital channels amplifies privacy, consent, and data management issues. We find many organisations struggle to guide data management, maintain consistent data quality, ensure traceability of data, understand and leverage metadata, and comply with evolving privacy regulations and international regulations.

APRA expects our regulated entities to stay on top of this challenge by implementing comprehensive data governance policies, including data mapping, quality controls, robust authorisation and access control, desensitisation of data wherever possible, and regular audits. We also encourage the adoption of privacy-by-design principles and robust data breach response plans.

Upping both the stakes and volume of data is rapid expansion in the use of AI, with one forecast estimating demand for AI-ready data centre capacity will rise at an average rate of 33 percent a year between 2023 and 2030.⁵  If companies thought they had enough data to manage with seemingly endless internal emails, imagine when most emails are composed with the help of AI!

Our preparedness for AI use and deployment must consider new risks and the broadening of current risk, especially in the areas of data. The economics of data aggregation could lead to growing concentration risk, with single-source providers of data and foundational AI models driving greater homogeneity and potentially biased data sets in the financial sector. AI is an emerging area for internal audit to examine and also represents a wholesale change in how auditors engage, assess risk, reach sufficient depth in their work, and address the complexity of providing an AI audit assurance opinion. Indeed, many of you are still trying to determine: "How far do we go to render an opinion?" For example, do you need to "check the math?" Will auditors need to understand and master increasingly technical capabilities to appropriately conduct work in AI?

The answers to these questions are still evolving, however a starting point can be found in proven international frameworks for assessing and auditing emerging technologies. These can assist in ensuring that innovation is balanced with prudent risk controls and robust governance structures.

More specifically, auditors can help companies manage data and AI risks by:

• assessing the monitoring and oversight for AI-generated outputs;
• assessing data classification for these outputs;
• reviewing controls for their retention and deletion; and
• evaluating data localisation and sovereignty compliance programs. 

First principles

APRA is often asked whether we intend to regulate the use of AI by our regulated entities. We have stepped up our monitoring of the emerging AI risks by reviewing practices across some larger institutions, including the appropriateness of risk management and oversight. Before the end of the year, we will undertake targeted supervisory engagements with a group of larger financial institutions to get a better understanding of leading industry practices and common challenges relating to AI.

Beyond technical considerations, we are encouraging our regulated entities to think strategically about AI ethics and governance, particularly as generative AI removes traditional human guardrails from decision-making processes. This will require them to embed strong ethical frameworks and accountability mechanisms into their AI governance structures, ensuring human oversight remains meaningful even when automated systems operate with greater autonomy.”

However, we remain of the view that our existing regulatory framework is sufficient to capture the use of AI by banks, insurers and super funds. These include our prudential standards and guidance on information security, operational risk management, data risk and general risk management.

And this brings me to my most fundamental message today: risks may evolve as technology changes, but the broad principles of good risk management remain the same. As auditors and other compliance professionals, your job is to identify the areas of highest risk within your organisations, conduct reviews to ensure these risks are being mitigated, and speak up when they are not.

That doesn’t mean auditors can safely ignore technological developments. Auditors must have a solid understanding of how new technologies work and what they mean to the organisation, so they can provide assurance to boards that risks in areas such as cybersecurity, data governance, system implementation, system recovery, and migration are mitigated.

APRA expects internal audit to deliver independent, risk‑based assurance over an entity’s information‑security capability and control environment, proportionate to the threat landscape and the criticality of business services. When required, that means stepping in to directly test where no other effective mechanisms exist.

In practice, this includes assessing whether the CPS 234 control‑testing program is well‑designed and operating effectively; and verifying the organisation’s ability to detect, respond and recover through plans and exercises. Given CPS 230’s emphasis on operational resilience and material service providers, internal audit should also evaluate outsourced arrangements end‑to‑end. Reporting should triangulate Line One and Two results, supplier attestations, and independent reviews, and provide clear opinions to the Board and Audit Committee on residual risk and whether governance and controls, for both the organisation and the service provider, meet prudential expectations.

Back to basics

Australia’s financial services industry has come a long way since that first bank opened back in 1817. In those days, transferring money from London to Sydney required a sea journey of up to four months.⁶ Today, it happens almost instantaneously via digital transfer. Technological innovation has markedly upped the convenience available to companies and their customers – and eliminated the threat, at least in banking, of shipwrecks and pirates – but other dangers have emerged: cyber criminals, network outages, crashed servers, human error, and data breaches.

While the tools available to our financial forebears were rudimentary – quill pens, printing presses, cast iron safes and oil lamps – they were simple to understand and repair when things went wrong. The same can’t be said about many of the increasingly sophisticated, algorithmic-based technologies used by modern financial institutions. Not only are these technologies typically opaque, even for IT and cyber professionals, but they frequently rely on a range of interconnected third parties.

With outdated legacy systems raising the risk of malfunctions and cyber breaches, most APRA-regulated entities are embracing new technologies to remain competitive and meet customer demands around service and efficiency. As they do so, internal audit has a crucial role to play in ensuring governance, control frameworks, and risk management keep pace with these changes. Because while technology is ever-changing, getting the basics right, and the principles of good risk management, are largely timeless.

¹First Bank Note 1817, Bank of New South Wales (Westpac) - The Australian Museum Blog

²Australians get on line with telephone banking

³DOT Penalizes Southwest Airlines $140 Million for 2022 Holiday Meltdown | US Department of Transportation

⁴When tech fails, it is usually with a whimper instead of a bang

⁵AI data center growth: Meeting the demand | McKinsey

⁶Maritime Journey from Britain to Australia, 1788-1960 | The Geography of Transport Systems