A “perfect storm” of factors is amplifying cyber, geopolitical and operational risks, Australian Prudential Regulation Authority chair John Lonsdale says.

Converging factors include the financial system’s growing dependence on digital technologies, increased interconnectivity and reliance on third parties to provide critical operations, and geopolitical environment shifts. 

APRA’s new operational risks prudential standard, CPS 230, took effect at the start of the month and requires organisations to have “an end-to-end understanding” of service providers.

“The increasing reliance on third-party service providers continues to be a growing vulnerability that entities must manage,” Mr Lonsdale told a banking conference last week.

“Events such as the CrowdStrike outage last year and the more recent targeting of Qantas customer data through a third-party servicing platform show how third-party weaknesses can lead to significant operational risks.”

APRA will conduct prudential reviews of how organisations are complying with CPS 230, starting with significant financial institutions and extending to non-significant institutions.

“With so much at stake, our tolerance for gaps or weaknesses in how these risks are being managed has never been lower,” Mr Lonsdale said.

The regulator will also conduct reviews to understand how businesses are meeting information security obligations, he told the conference.

Prudential standard 234 requires companies to have controls “commensurate with the threat environment”, which must be reviewed in response to changes.

“On cyber, we see a need for continued focus on baseline resilience across all APRA-regulated industries and will be conducting further reviews to understand how entities are meeting the requirements of CPS 234,” Mr Lonsdale said.