CFOtech Australia - Technology news for CFOs & financial decision-makers
Australia

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Ps mathew gomizel 1
#
Data Protection
#
Advanced Persistent Threat Protection
#
Risk & Compliance

New APRA regulations raise the stakes on data governance and security in financial services

Wed, 23rd Jul 2025
By Mathew Gomizel, Regional Director, Australia, Radware

Australia's financial institutions are on notice. With the latest updates to the Australian Prudential Regulation Authority's (APRA) CPS 230 standard now in effect, the message is clear; data breaches are no longer just a technical issue, they are a governance failure - and accountability levels have been raised.

The regulation, which governs operational risk management across the banking, insurance and superannuation sectors, places explicit accountability on boards and senior management to protect data and systems. It significantly lifts the bar on how companies must prepare for, respond to, and report on cyber incidents. The implications of non-compliance are serious, and the consequences of a breach are potentially crippling, for both a company's reputation and its finances.

Operational risk is now boardroom business

One of the most significant changes is that boards are now directly responsible for ensuring that their institutions have robust processes to identify and manage operational risks, including cyber threats. This includes maintaining a comprehensive view of critical operations, setting clear risk boundaries, and ensuring adequate resilience and recovery strategies are in place. It also means having a very clear view of the company's data estate, and proper checks and balances in place to ensure it is visible, attainable and manageable as well as secure.

This shift in accountability means that cybersecurity can no longer be treated as an IT silo or relegated to back-office functions. Executive leaders must now take an active role in overseeing cyber preparedness, ensuring data governance practices are aligned with APRA's expectations, and that proper risk management is embedded across the organisation and tested on a regular basis. In other words, it means buy-in right from the top, and across all departments.

The cost of failure: more than just fines

In the event of a serious cyber incident, APRA may now impose strict corrective actions, including operational restrictions while investigations are underway. If federal agencies are called in to trace the origin and scale of a breach, as has occurred in recent high-profile cases, companies may be forced to suspend critical services for days or even weeks. For banks and insurers, this can result in significant financial loss, erosion of customer trust, and damage to shareholder value. In extreme cases, as we have seen, the company could very well go under.

Furthermore, under Australia's Security of Critical Infrastructure (SOCI) reforms, financial entities may also be subject to direct government intervention if their systems are deemed at risk. In such a scenario, control over key digital infrastructure could be temporarily removed from the organisation, which is an outcome that few boards are prepared to entertain.

A clear mandate for proactive defence

With these new regulations, it's no longer enough to react to threats as they arise. The CPS 230 framework demands that organisations adopt a proactive, intelligence-led approach to security, one that includes real-time threat detection, automated mitigation, and rigorous access controls across hybrid environments.

This is particularly critical as many financial services firms expand their cloud and software-defined infrastructure footprints, increasing their attack surface in the process. Furthermore, with the rise of artificial intelligence and LLMs, data estates are set to expand, which only increases this risk.

Effective data governance - including knowing where sensitive data resides, who has access to it, and how it is protected - is absolutely critical. However, institutions must go further, implementing protective measures such as application-layer protections, anomaly detection powered by behavioural analytics, and threat intelligence tools capable of identifying and neutralising sophisticated attacks before they reach their targets.

Time to tighten up

Financial services organisations are increasingly being judged not just on whether they were attacked, but on how prepared they were and how effectively they responded. The new APRA guidelines are a wake-up call; regulators, shareholders and customers now expect companies to demonstrate operational resilience in the face of escalating cyber risks.

For boards and executives, this is the moment to assess whether your cybersecurity posture is strong enough, not only to protect that sensitive customer data, but to avoid the far-reaching financial and regulatory consequences of falling short. When the next breach comes, it's not just your IT systems that will be under scrutiny, it's your entire governance over data, systems and risk planning.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
The human power behind AI adoption
Australian firms face rising data loss threats amid AI adoption
From storage to strategy: Building AI business cases that deliver enterprise-wide impact
Exclusive: Splunk reveals why only 4% of organisations are cyber ready
Fusion5 named global finalist for 2025 Dynamics 365 Service award

Top stories

High performers excel in strategy execution amid data challenges
AI & tax intelligence set to transform business compliance by 2026
MYOB appoints Paul Voges to lead enterprise division for growth
Queensland tech workforce set to double, adding 200,000 jobs by 2035
How artificial intelligence is reshaping the future of travel and expense management