APRA Explains cyber security

As part of APRA’s 2025 Stakeholder Survey, we asked banks, insurers and superannuation trustees which business risks they were most concerned about. Number one – by a 20 percentage point margin – was cyber risk, cited by 91 per cent of respondents.  

The response was no surprise. Cyber security has been at or close to the top of industry risk registers for many years now, as organisations ranging from airlines to telecommunications companies have been hit by high profile cyber attacks and data breaches.  

APRA-regulated financial institutions haven’t been immune: in 2022, one of the largest private health insurers was hit with a ransomware attack that resulted in sensitive customer data being posted on the dark web; and in 2025 it emerged that multiple superannuation funds had been the subject of credential stuffing attacks, with some members having money stolen from their accounts.  

While the cyber-threat isn’t new, it is becoming more acute as malicious actors develop new technologies and techniques, including harnessing the power of artificial intelligence. Meanwhile, the growing dependence of customers and financial institutions on digital technologies and third-party service providers has increased the number of points of vulnerability that criminals can exploit.  

Not only are robust cyber security systems and practices needed to protect customers’ money and personal information, but to protect the financial strength of the financial institution itself – in a worst-case scenario, a cyber incident has the potential to spark the failure of a bank, insurer or superannuation fund.

In 2019, APRA’s first prudential standard focused on cyber security took effect. Under Cross-industry Prudential Standard (CPS) 234 Information Security, banks, insurers and super trustees must “maintain an information security capability commensurate with the size and extent of threats to their information assets”.  

In plain English, that means that the more data they hold, the more sensitive that data and the greater the risk and consequence of a cyber breach, the more robust their cyber security systems and practices must be. For example, a major bank with millions of customers and billions of dollars in deposits would be expected to have more sophisticated cyber security arrangements than a small regional credit union.  

Simply having these arrangements is insufficient for entities of any size. Under CPS 234, APRA-regulated entities must also:  

• clearly define information-security related roles and responsibilities within their organisation;
• implement controls to protect sensitive corporate and customer information and undertake regular testing to ensure these controls are effective; and
• promptly notify APRA of material information security incidents.

CPS 234 is complemented by APRA’s new standard on operational risk management, CPS 230, which deals with business continuity risks more broadly.  

Since CPS 234 came into effect, APRA has closely monitored how well our regulated entities are complying with the prudential standard. While cyber security is taken seriously across all APRA-regulated industries, we have publicly called out common areas of weakness in a bid to lift standards in this crucial area, and warned of possible enforcement action against entities failing to comply with their CPS 234 obligations.  

More recently, APRA has also urged banks, insurers and super funds to step up their authentication controls (including  multi-factor authentication) to reduce the risk of people gaining unauthorised access to a device or network and accessing sensitive information or customers’ money.

With strengthening cyber security across our regulated industries remaining a top priority in APRA’s 2025-26 Corporate Plan, APRA will continue to keep a strong focus on ensuring banks, insurers and super funds stay on top of this constantly evolving threat.