Global: APRA Cautions Australian Banks Over Legacy Tech and Cloud Concentration Risks

The Australian Prudential Regulation Authority (APRA) has urged banks and their internal audit teams to strengthen oversight of technology-related risks, warning that overreliance on outdated systems and a limited number of cloud providers poses a growing threat to financial stability.

Speaking at an industry event, Suzanne Smith, APRA Member for Supervision, highlighted the regulator’s increasing concern over technology concentration risk—the dependence of multiple financial institutions on the same set of critical service providers.

“Across banking, insurance, and superannuation, critical operations often rely on a concentrated group of technology vendors, including cloud platforms, processors, network providers, and software-as-a-service (SaaS) operators,” Smith said. “If even one of these providers experiences an outage, the ripple effects could disrupt essential services across multiple institutions.”

Smith also underscored the vulnerabilities linked to legacy infrastructure, noting that many financial entities still depend on outdated software and hardware that fall short of modern cybersecurity and resilience standards.

“Legacy systems are inherently less resilient to cyber threats,” she said. “They often lack adequate encryption, segregation, authentication, and real-time monitoring capabilities—features that are essential to safeguard customer data and ensure operational continuity.”

To mitigate these risks, APRA is calling on banks to empower internal audit teams to play a more proactive role in identifying and managing technology weaknesses.

“One of internal audit’s core responsibilities is ensuring that the fundamentals—such as workforce planning, employee engagement, and delivery of digital transformation—are sound,” Smith explained. “Audit teams must remain vigilant against cost-cutting measures that may appear efficient in the short term but lead to higher long-term expenses.”

She cautioned that delaying system upgrades or replacements to maintain profitability could result in hidden operational costs and greater exposure to cyber and operational risks.

The warning comes as APRA continues to tighten its supervisory focus on operational resilience, cybersecurity, and third-party risk management in the face of increasing digital dependency across Australia’s financial sector.

Smith emphasized that maintaining a secure and resilient technological foundation is not just a regulatory requirement but a business imperative for banks seeking to build trust and stability in an increasingly digital financial landscape.