The Australian Prudential Regulation Authority (APRA) has highlighted the need for financial firms to manage risks stemming from an increased reliance on new technologies.   

Speaking at the Australian Compliance Institute’s GRC2023, APRA member Therese McCarthy Hockey says threats to businesses have “less to do with breaking into safes and more to do with breaking into servers”, with Australians impacted by significant consequences from digital risks exposure.  

“In an environment where one crashed server or ransomware attack can leave potentially millions of Australians without access to funds, the ability to mitigate operational risks is essential for financial stability and community well-being,” Ms Hockey said.   

“Twelve months ago, APRA still talked about it being a case of ‘when’ rather than ‘if’ one of our regulated entities suffered a major cyber breach. We’ve now had several. 

“The impact of these attacks was felt by many and put information security front of mind for more than just board directors but Australian consumers too.”   

Ms Hockey highlights the considerable risk of digital threats to organisations, noting a “long period of insufficient investment” in cyber security, especially among smaller groups and organisations.   

She cautions the industry to “conduct due diligence” amidst the growing use of emerging technologies in daily operations, such as AI and machine learning systems.   

“As when cryptocurrency emerged on the scene, our initial guidance to industry will be to tread carefully when using these advanced AI technologies: conduct due diligence, put appropriate monitoring in place, test the board’s risk appetite and ensure there is also adequate board oversight,” Ms Hockey said.   

She also notes an upcoming change to requirements for APRA-regulated entities to have mitigation plans against vulnerabilities from key third-party and fourth-party service providers in place amidst a growing increase in high-profile data exposure events.   

“An insurer may not be directly responsible for its website going offline when a network gateway fails, but it will be responsible for the outcome – which is the inability of customers to lodge claims or access other services.” 

Click here for the full speech.