Op-Ed: APRA doubles down on cyber resilience warning – so, what now?

On the legislative side, Cyber Security Minister Tony Burke has introduced Australia’s first standalone Cyber Security Act, which would force critical infrastructure providers – including some financial services institutions (FSI) – to overhaul deficient risk management programs.

With the operating landscape changing so fast, FSI leaders need to understand the drivers, implications, and compliance strategies behind Australia’s enhanced regulatory regime.

Data risk driving resilience focus

Australia is not alone in mandating greater cyber resilience in its financial services sector. While APRA has highlighted the area as one of increased focus, more prescriptive guidance is needed on what “good” cyber resilience looks like.

VIEW ALL

Internationally, for example, the UK’s financial regulator has taken a more detailed approach. It has similarly highlighted cyber resilience as a key focus area and also introduced a March 2025 deadline for organisations under its purview to demonstrate the resilience of “important business services”.

Critically, these systems are stress-tested with simulated attacks to gauge the effectiveness of any resilience strategy.

While matching the pace of international regulatory action might be behind APRA’s increased focus, the reality of cyber activity on home soil can’t be ignored.

In the Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches report, the financial services sector experienced the third-highest number of data breaches in the first half of this year – behind only the healthcare and public sector.

It is clear that financial institutions are major targets of cyber attack groups. With international regulators taking the initiative to safeguard critical payment infrastructure, APRA would be remiss if it didn’t follow suit.

Implications for business leaders

The increased focus on cyber resilience marks an important shift. Rather than assume every attack can be thwarted, the regulatory focus on recovery highlights this is not the case. Whether through an extremely sophisticated adversary, or a simple act of human error, it is impossible to stop every single attack.

Organisations now need to adopt an “assumed breach mindset” and prove their ability to rapidly recover critical operations following an attack.

To do so, there are five key questions leaders need to rapidly answer in the event of an incident.

The first is, can we recover? This question can be hard to answer. Attackers know the only thing standing between them and a successful ransom is their victim’s backup data and recovery capability. In fact, recent research found that 99 per cent of organisations reported malicious actors attempting to impact data backups during a cyber attack.

After recoverability has been confirmed, the next question is, what do we recover? Understanding the full blast radius of an attack and exactly what data has been encrypted is key for recovery procedures to begin as soon as possible.

The next question to answer is, how far back do you need to go to find a clean copy of that data? Finding a clean recovery point should also include a comprehensive scan of the backup data for indicators of compromise to ensure the organisation isn’t re-infected with the same malware.

While large-scale data encryption can severely disrupt operations, it is also important to know: what was stolen? Attackers increasingly opt for double extortion attacks where data is both encrypted and stolen. Knowing whether sensitive data was taken means impacted stakeholders can be notified as soon as possible.

The final, and perhaps most crucial, thing to know is, how long will it take? For business-critical systems, recovery plans need to be regularly tested, proven and documented, with automation supporting both simulated scenarios and the acceleration of actual recovery wherever possible.

If any of these are unknown, so, too, is the organisation’s ability to recover – not just from cyber incidents but also from outages, cloud instance failures, and even insider threats. These unknowns add to the time that will be needed to recover. The critical thing to consider is the tolerance of the business function to an extended outage.

Minimum viable business

Organisations should consider the “minimum viable business” (MVB) strategy to surpass current regulations and the stricter standards many expect in the future.

For FSI, this means maintaining core functions and services necessary for operational continuity during disruptions.

Banks, for example, might prioritise essential services such as claims, deposit, and withdrawal processing, payment systems, and basic lending. This ensures critical financial services remain available to customers, maintaining trust and stability in the financial system.

An MVB represents the smallest version of a business that still fulfils the critical value-generating activities while dealing with unexpected business interruptions.

The applications and data required to execute these functions would have greater protections and more sophisticated recovery plans to ensure they could be brought back online as soon as possible.

Ultimately, recent attacks and widespread outages have exposed the consequences of mass data loss. Minimising the impact of future attacks, particularly as geopolitical tensions rise, is a priority for regulators and legislators – so it should be a priority for business leaders, too.