Australia’s financial regulators are bracing for what one senior official has described as a “perfect storm” of operational risks threatening the stability of the nation’s banking system.
Chris Gower, executive director of cross-industry risk at the Australian Prudential Regulation Authority (APRA), has warned industry leaders on Wednesday that three converging threats could create significant disruption similar to the rare 1991 Atlantic storm that devastated North American coastlines.
Speaking at the AFIA Risk Summit 2025, Gower outlined the three key risks: increasing dependence on technology that creates vulnerability to cyber attacks, growing reliance on third-party service providers including overseas entities, and shifting geopolitical tensions that amplify existing threats.
Recent events have demonstrated these risks are not theoretical, Gowen noted. Earlier this year, several superannuation funds fell victim to co-ordinated credential stuffing attacks that resulted in members’ retirement savings being stolen.
“Baseline cyber resilience across many APRA-regulated entities is not at the level it needs to be given the rapidly evolving threat environment,” Gower said.
The regulator has responded by writing to all superannuation funds last week, demanding faster implementation of multi-factor authentication for high-risk activities and privileged access.
The financial sector faces immediate changes with APRA’s new prudential standard CPS 230 Operational Risk Management taking effect on July 1. The standard requires banks, insurers, and superannuation funds to conduct comprehensive supply chain risk assessments and develop contingency plans for potential disruptions.
Gower emphasised the standard builds on existing foundations rather than starting from scratch, incorporating elements from previous outsourcing and business continuity requirements.
Australia’s security agencies have highlighted the deteriorating threat environment. ASIO’s director-general noted earlier this year that Australia faces “multifaceted, merging, intersecting, concurrent and cascading threats” with foreign interference and espionage risks at “extreme levels”.
Recent market volatility driven by international trade dynamics and sanctions enforcement following global conflicts have demonstrated how distant geopolitical events can rapidly impact Australian financial institutions.
Despite the heightened risks, Gower stressed APRA’s commitment to proportionate regulation that doesn’t stifle innovation or competition. The regulator aims to enable “smarter approaches to risk management” rather than layering on additional compliance burdens.
“The objective is not to anchor the ship in the harbour, but to be smarter in how to prepare for the voyage,” he said.
Financial institutions adopting a “resilience mindset” rather than mere compliance have proven more effective in managing operational risks, according to APRA’s observations.
What actions do you believe should be prioritised when navigating risks? Share your insights below
