Notify a breach

Latest updates

This page has been updated to reflect changes to breach reporting arrangements from Thursday 21 May 2026.

Extranet retirement

APRA is retiring the current Extranet and moving breach reporting to APRA Connect. This change supports continuity and aligns breach reporting with APRA’s modernised digital platforms.

As previously advised, from Thursday 21 May, all entities must submit their breach reporting directly through APRA Connect. The Extranet will be available until Wednesday 20 May 2026 (inclusive).

There are no material changes to the breach reporting process or forms. The main change relates to where breaches are lodged.

For Private Health Insurers, breach reports will now be lodged by completing an electronic form in APRA Connect, replacing the manual form previously available via the Extranet.

Record keeping

Please download and save copies of any breach submissions you may need from the Extranet for your records by Wednesday 20 May.

Upcoming changes

APRA Connect includes a new Breach Submitter role for breach reporting.

To submit a breach, your Regulatory Reporting Administrator (RRA) must assign the Breach Submitter role to an appropriate user (for example, a Prudential Contact or Company Secretary).

Entities may assign this role to multiple users. All entities must have at least one Breach Submitter role assigned before they can submit a breach in APRA Connect.

The video below demonstrates how to assign the Breach Submitter role, and access breach reporting forms in APRA Connect.

Action required

Please ensure the Breach Submitter role is assigned in APRA Connect on or shortly after Thursday 21 May so you can lodge breach reports once the Extranet is retired.

What breaches must be reported to APRA?

Breach notification requirements were imposed on all APRA-regulated institutions from 1 January 2008. A breach notification arises where an APRA-regulated institution is required, in accordance with the industry’s relevant legislation, to notify APRA of a breach of a prudential requirement.¹

The legislation for each industry sets out the circumstances where an institution must notify APRA and the required timeframes for reporting the breach to APRA.

The legislation also contains a ‘significance’ test to assist institutions in assessing the seriousness of a breach. The ‘significance’ tests under each industry’s relevant legislation are very similar (note that the Private Health Insurance (Prudential Supervision) Act 2015 does not include a ‘significance’ test). The ‘significance’ test is a subjective test determined by the APRA-regulated institution under the provisions of each industry’s relevant legislation. To determine what breaches are considered to be significant, institutions need to consider the following factors:

• the number or frequency of similar breaches;
• the impact the breach has on the ability to conduct business (or in the Superannuation industry, the RSE licensee’s ability to fulfil its obligations as trustee);
• whether the breach indicates that the institution’s arrangements to ensure regulatory compliance might be inadequate; and
• actual or potential financial loss to members, policy holders or depositors of the institution.

The assessment of whether a breach is significant rests with the APRA-regulated institution, having regard to their legal obligations under the respective legislation that applies to them.

For further information refer to the relevant legislation including:

• s. 29JA of the Superannuation Industry (Supervision) Act 1993
• s. 132A of the Life Insurance Act 1995
• s. 38AA of the Insurance Act 1973
• s. 62A of the Banking Act 1959
• s. 95 of the Private Health Insurance (Prudential Supervision) Act 2015

When must a breach be notified to APRA?

If the breach relates to the financial position or financial obligations of an ADI, life insurer or general insurer, the institution must immediately notify APRA in writing (and in the case of a private health insurer, as soon as practicable).

In relation to other significant breaches of a prudential requirement, a breach must be notified to APRA by ADIs, life insurers, and general insurers as soon as practicable, but in any case, no later than 10 business days after those institutions become aware of a breach. For RSE licensees, a written report about the breach must be provided to APRA as soon as practicable, and in any case within 30 days, after becoming aware of the breach. For private health insurers, a breach must be notified to APRA as soon as practicable.

Failing to notify a breach of a prudential requirement to APRA

Failure to notify APRA of a breach of a prudential requirement is an offence under each industry’s relevant legislation and a penalty of 30 units for private health insurers, 50 units for RSE licensees and 200 units for ADI’s, life insurers and general insurers may apply.

Reporting breaches to ASIC

Breaches under APRA administered legislation may also breach ASIC administered legislation.  You should determine if you are also required to report the breach to ASIC.   
Reporting a breach to APRA will constitute the lodgement of a report under 912DAA(1) of the Corporations Act to ASIC, provided that:

• the report given to APRA contains all of the information under s912DAA.  APRA suggests that, in order to ensure compliance, you use the prescribed form contained on APRA’s Online Breach Notification System (the Extranet) , and 
   
• the ASIC breach report is provided within the time required under s 912DAA(3).²   

You should not use the Online System or forms to report a breach that relates solely to ASIC-administered legislation. You should refer to ASIC to ascertain how to report these breaches.

How to report a breach to APRA

Reporting a breach – APRA’s preferred method for ADIs, life insurers, general insurers and RSE licensees is to use the online breach reporting system, the APRA Extranet.

Extranet - To access the APRA Extranet, regulated institutions will need to have a myID as well as up-to-date information in APRA’s contacts database.

The APRA Extranet is not currently available for private health insurance lodgements, accordingly PHIs are to use the PHI Breach template.

For private health insurers and institutions that are unable to use the Extranet, PDF versions of the form are available below:

The prudential contact or company secretary is required to have a myID login to authorise a breach to be reported using the Extranet. Refer to the D2A and Extranet have replaced AUSkey with myGovID and RAM page for further detail.

Online breach reporting system

The online system was released on 25 August 2011. You will need a myID to access the breach online form via the Extranet. The online system enables you to:

• save breach forms in draft;
• view previously submitted breaches;
• print breach forms;
• prudential contacts or company secretaries with an myID login can submit breaches directly.

Verification emails will no longer include a copy of the form.

Footnote:

¹Obligations within the prudential standards to notify APRA are not considered to be a breach and reportable to APRA as described on this page. For example, notifications of Information Security Incidents and Material Information Security Control Weaknesses required by CPS 234 Information Security continue to be reported to APRA by the links contained under Prudential Standard 234 on the APRA website.
² The required time is within 30 days after a financial services licensee first knows that, or is reckless with respect to whether, there are reasonable grounds to believe a reportable situation has arisen.