Australian banks and their internal audit teams must prioritize the risks associated with legacy technology and an over-reliance on a limited number of cloud service providers, as emphasized by the industry regulator.
In a recent address to the banking sector, Suzanne Smith, a representative from the Australian Prudential Regulatory Authority (APRA), highlighted the growing concern regarding concentration risk.
“Across banking, insurance, and superannuation, crucial operational delivery frequently depends on a small group of technology vendors, particularly in areas such as cloud services, processors, and various as-a-service models,” Smith remarked. “If any of these providers experience a failure, even momentarily, it could disrupt services for all entities relying on them.”
Smith also pointed out the vulnerabilities linked to outdated technology. “Many institutions under APRA’s supervision are still heavily reliant on legacy systems, which are often constructed using antiquated software and hardware,” she noted. “These legacy systems typically lack resilience against cyber threats, as they do not meet modern standards for encryption, user access control, authentication, and real-time monitoring.”
As a result, banks should enhance the role of their internal audit teams in monitoring technology-related risks.
“One of the primary responsibilities of internal audit is to ensure that fundamental processes are in place, particularly in workforce planning, employee engagement, and the advancement of digital transformation initiatives,” Smith explained. “Additionally, internal audit teams should remain vigilant regarding cost-cutting strategies aimed at preserving profitability, as these can inadvertently lead to significant expenses down the line. For instance, postponing the replacement of aging technology assets often carries hidden costs that will eventually need addressing.”