APRA Executive Director Highlights Operational Resilience Amid Geopolitical Shifts at AFIA Risk Summit 2025

Key Takeaways

• Converging Risks: Technology reliance, third-party dependencies, and geopolitical volatility are intensifying risks for financial services.
• CPS 230 Implementation: APRA's new operational risk standard aims to strengthen the resilience of financial institutions by improving risk management and supply chain oversight.
• Cyber Resilience Focus: APRA is urging financial institutions to enhance their cybersecurity frameworks in response to evolving threats.
• Geopolitical Vigilance: Global geopolitical developments, including conflicts and trade tensions, are amplifying risks to the financial sector.
• Resilience over Compliance: Financial institutions must focus on resilience, not just compliance, to effectively navigate emerging risks and disruptions.

Deep Dive

In an address to industry leaders at the 2025 AFIA Risk Summit, Chris Gower, Executive Director of Cross-industry Risk at the Australian Prudential Regulation Authority (APRA), outlined the increasing need for financial institutions to bolster their operational resilience in response to an evolving geopolitical landscape. Drawing a compelling parallel to the "1991 Perfect Storm," Gower described how three converging risks (technology dependence, third-party vulnerabilities, and geopolitical volatility) are creating challenges that could shake the financial system’s stability.

Gower began his speech by referencing the "1991 Perfect Storm" that ravaged the North Atlantic, symbolizing the current convergence of risks within the financial sector. "In the same way three storms converged to create the 'Perfect Storm,' the financial services industry today faces three major converging risks that could severely impact stability," Gower said.

The first of these risks is the increasing integration of technology into every facet of the financial system. With this deeper integration comes a growing vulnerability to cyber-attacks and technological disruptions. As technology becomes more central to financial services, institutions are at greater risk of operational breakdowns in the event of a cyberattack, technical failure, or service disruption.

"Technology is now the backbone of our financial infrastructure, and while it brings efficiency and innovation, it also exposes institutions to systemic risks," Gower explained. "Cyber-attacks are not just a threat, they are a persistent and evolving risk that must be actively managed."

The second risk Gower identified is the rising reliance on third-party providers to manage critical operations and technological services. This dependence on external entities, especially those located overseas, exposes financial institutions to disruptions originating outside the financial sector. "Whether it’s a disruption in a global supply chain or a failure of a third-party service provider, the interconnectivity of our systems means that one disruption can have far-reaching consequences," Gower warned.

The third risk is geopolitical instability, which is exacerbating both technological and third-party vulnerabilities. Geopolitical developments, including military conflicts, international sanctions, and the rise of malicious state and non-state actors, are having a profound impact on financial systems. These risks are amplified by the increasingly complex global landscape and the rise of cyber capabilities in hostile nations.

"In a world where the geopolitical landscape is shifting dramatically, the threats to financial systems are no longer confined to traditional boundaries," Gower said. "Cyber-attacks and third-party vulnerabilities are now part of the geopolitical risk matrix."

Strengthening Resilience

In response to these risks, Gower emphasized the regulatory measures being implemented by APRA to ensure that financial institutions are adequately prepared for the challenges ahead. A key focus for APRA is the upcoming implementation of Prudential Standard CPS 230 on Operational Risk Management, set to take effect on July 1, 2025. CPS 230 aims to enhance the resilience of financial institutions by ensuring they have a comprehensive understanding of their supply chain vulnerabilities and the necessary contingency plans to address potential disruptions.

"APRA has long recognized the importance of operational resilience. With the new CPS 230 standard, we are pushing for a more proactive approach to risk management, requiring institutions to conduct thorough risk assessments and implement robust contingency plans," Gower said.

The new standard will not only focus on operational risks but also emphasize the need for financial institutions to work closely with their third-party service providers. This will include establishing strong partnerships, ensuring continuous monitoring of third-party operations, and preparing for the potential cascading effects of external disruptions.

CPS 230 is part of APRA’s broader efforts to strengthen the resilience of Australia’s financial sector. It builds on existing prudential standards, such as those on Outsourcing and Business Continuity Management (CPS 231 and 232), and aligns with global best practices in operational risk management.

Another key component of Gower’s speech was the increasing focus on cyber resilience. APRA has been actively reminding regulated entities of their responsibilities to improve cybersecurity measures, especially as cyber threats evolve. Following a series of high-profile cyber incidents—including credential stuffing attacks on superannuation funds and ransomware attacks on financial institutions, APRA has called for more robust authentication mechanisms, including the faster adoption of multi-factor authentication for high-risk activities.

"Cyber resilience must be at the top of every financial institution’s agenda," Gower stated. "The recent wave of cyberattacks targeting the financial sector serves as a stark reminder that baseline cybersecurity practices are no longer sufficient. We need to raise the bar for cyber resilience to keep pace with emerging threats."

APRA’s recent outreach to superannuation funds underscores this growing focus. In a letter sent last week, APRA reminded funds of their obligations to implement stronger authentication controls and accelerate the rollout of multi-factor authentication for sensitive activities. "As the cyber landscape becomes more complex, financial institutions must remain vigilant and proactive in strengthening their defenses," Gower added.

Geopolitical Risks: A Global Perspective

Addressing the broader geopolitical risks facing the financial sector, Gower pointed to recent global events, including the war in Ukraine and shifting international trade dynamics, as indicators of the challenges that lie ahead. These events have highlighted the potential for disruptions to financial markets, supply chains, and cross-border transactions, underscoring the importance of geopolitical awareness in financial risk management.

The Australian financial system, while insulated from some of the direct impacts of these global events, is not immune to the ripple effects of geopolitical tensions.

"The interconnectedness of the global economy means that events overseas can have profound effects here at home," Gower noted. "From sanctions enforcement to foreign interference, Australian financial institutions must be prepared for a wide range of geopolitical risks."

APRA’s work with the Council of Financial Regulators (CFR) is focused on building resilience across the financial system to mitigate these risks. The CFR is coordinating efforts to monitor emerging threats and strengthen the overall preparedness of the Australian financial system.

In closing, Gower called on financial sector leaders to adopt a resilience-based approach to risk management.

"Those who view operational resilience through a compliance lens are likely to find themselves unprepared when disruptions occur. The future of risk management lies in resilience—the ability to adapt, respond, and recover from disruptions while maintaining trust with stakeholders," he emphasized.

Gower’s speech underscored that, while the financial system faces unprecedented challenges, it also has an opportunity to strengthen its foundations by investing in resilience and preparing for future risks.

"The storms may be coming, but with the right preparations, the financial sector can navigate through them and emerge stronger on the other side."

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.