Skip to main content
Marsh logo

APRA policies and supervision: priorities for 2023

03/20/2023 · 3-minute read

The Australian Prudential Regulation Authority (APRA) aims to protect financial institutions and the financial system as a whole by proactively identifying and responding to significant risks.

APRA has recently released its policy and supervision priorities for 2023, in accordance with its latest Corporate Plan. Notably, APRA has stated that given the heightened risk of operational disruptions, including cyberattacks, it:

  • will further increase the scrutiny of operational and cyber risk-management practices across all industries; and
  • has heightened expectations of entities’ ability to rapidly detect weaknesses and to implement remediation plans.

In line with this focus, there are two key policy and supervision priorities for 2023 that are particularly relevant to financial institutions assessing their cybersecurity posture. These include:

1. Completing key reforms to strengthen the financial and operational resilience of APRA-regulated entities, and improve outcomes for superannuation members

APRA has stated that regulated entities must be able to identify and effectively respond to business disruptions and operational risks and to ensure the data they hold is secure.

In 2023, there will be a focus on strengthening operational resilience through oversight of third-party service provision, technology resilience, operational risk and compliance.

This focus foreshadows the pending implementation of Prudential Standard CPS 230 Operational Risk Management (CPS 230) which will provide a framework for financial institutions to manage their information and technology risks, and ensure the stability and resilience of their operations.

2. Heightened supervision on cyber resilience through detailed assessments and rigorous pursuit of breaches

As part of its 2020-2024 Cyber Security Strategy, APRA issued Prudential Standard CPS 234 Information Security (CPS 234). Under CPS 234, regulated entities must complete assessments of their compliance with the standard at specific intervals, as well as report information security incidents and information security control weaknesses to APRA as soon as possible.

In 2023, APRA intends to use this information to exercise heightened supervision on cyber resilience, including:

  • rigorously pursuing breaches of the standard;
  • requiring and reviewing comprehensive remediation plans to ensure timely rectification and follow up of all gaps identified;
  • conducting targeted deep-dive reviews on areas of weakness that fail to meet expectations; and
  • share insights and industry-wide guidance to direct cyber resilience uplift.

APRA has also expressed that it will be focussing on board effectiveness in relation to cyber resilience, and will issue information requests to board members at select regulated entities to gain a better insight into practices and potential weaknesses.

What does this mean for Australian financial institutions?

Australian financial institutions should consider whether their own policies and practices align with APRA’s expectations, and adopt additional measures as appropriate. Questions that financial institutions should be asking, include:

  1. Cybersecurity resilience:  does the financial institution have the necessary measures in place to detect, respond to, and recover from cyber threats?
  2. Data security: does the financial institution have secure data management, including data privacy and protection of sensitive information?
  3. Third party risk management: does the financial institution mitigate the security risks posed by external partners and vendors? 
  4. Incident response planning: does the financial institution have a robust incident response plan in place to ensure that it can quickly and effectively respond to security incidents?

By responding to these questions and identifying potential gaps in the financial institution’s policies and practices, the financial institution will be better equipped to meet APRA’s expectations and maintain the stability and resilience of the financial system as a whole.

Marsh offering

As your trusted advisor and partner in cyber risk management and enterprise risk assessment, Marsh can work with you to determine your current cyber risk posture and implement improved protocols and procedures to enhance insurability, loss mitigation and cyber resilience. These reviews will extend beyond your technical risk management procedures to include the enterprise wide review of cyber resilience, data protection and incident preparedness. 

Our people

Placeholder Image

Gill Collins

Head of Cyber Incident Management and Cyber Consulting, Pacific

Placeholder Image

Hannah Morgans

Growth Leader, Cyber

  • Australia

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. LCPA 23/113

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”