According to the Reserve Bank of Australia, an increasing share of payments are now made electronically with Australians on average making 625 electronic transactions each year.
While the convenience of digital payments is not in question, the security of the financial institutions and the resilience of the infrastructure that makes this shift possible is — and it always will be — given how critical these are to our daily lives.
A successful cyber attack against an Australian financial institution would bring lives screeching to halt. Not only would transactions grind to a standstill as critical data becomes encrypted, but the relatively new attack method of data exfiltration could also see Australian personal information used in wide-scale financial fraud.
The risk of this occurring is not theoretical.
In fact, in the face of increasing cyber attacks in 2019, Australia’s Prudential Regulation Authority (APRA) released CPS234, a mandatory regulation requiring APRA-regulated entities such banks, credit unions, and insurance providers to uplift security capabilities to meet the growing threat.
Three years on from the regulation’s release, how has the financial services industry responded?
One word from APRA’s recent review into CPS234 adherence sums it up well: Disappointingly.
After surveying regulated entities on their system health, information security capabilities, and disaster recovery ability, APRA found that 35 per cent hadn’t tested critical system backups in the past 12 months, more than 22 per cent hadn’t tested cyber incident response plans, and 60 per cent hadn’t assessed their IT service providers’ information security control testing.
What do these results mean?
It means more than one-third of financial institutions would have no idea if they could recover their data and restart operations from their backups following a ransomware attack, more than 20 per cent would struggle to respond at all, and almost two-thirds are vulnerable to falling victim by an attacker compromising their suppliers and sneaking in undetected.
If these figures weren’t enough to put the industry on notice, the latest figures from the Office of the Australian Information Commissioner’s Notifiable Data Breaches scheme should. In its latest report, it revealed the finance industry reported the second highest number of data breaches, behind only the health sector.
Further, in an Australian-first, ASIC recently found RI Advice Group had breached its financial services licence by failing to adequately manage cyber risk.
If the risk of regulatory action or reputational damage stemming from an attack is not enough to get the financial industry to lift its game, what will?
APRA made it clear in its recent report into CPS234 that responsibility lies squarely with the board.
“Disappointingly, APRA’s observations from the CPS234 assessment and its supervisory activities have found little evidence of boards actively reviewing and challenging the information that senior management has provided on cyber topics,” it said.
We’ve seen in the fallout of Star Casino inquiries what happens when boards and senior executives turn a blind eye to their responsibilities — the criminals come out to play.
In the casino’s case, this manifested in wide-scale money laundering. In the financial services industry, this could lead to untold disruption as banks struggle to remediate payment systems while customers risk having their personal and banking information pilfered.
With so much work left to do, where can boards start to uplift their security postures?
The first is to appreciate the scale of threat. While so far we haven’t seen the catastrophic effects of a full-scale ransomware attack on an Australian bank, we have seen the disruption such attacks can cause. After Colonial Pipeline was attacked, oil supply in the US was impacted for weeks. When the food processor JBS fell victim, there were fears of food shortages around Australia and the world. Logistics firm Toll, which was attacked twice, caused widespread supply chain disruptions across the nation.
The second is to understand the goal of these attacks. In almost every cyber attack, the ultimate goal is to corrupt or steal data. As such, data security becomes critical. While perimeter security is important, data security ensures data is resilient and personal information is protected even after an attacker has breached the network.
By bringing security to the point of data, FSI executives and boards can overcome the paralysis-inducing operating assumption that their data is vulnerable.
Think about the physical security of a bank. If a criminal bypasses the guards, the locked doors, and the alarm systems, is cash and gold simply laying strewn around the ground? No, they’re locked away in highly secure safes.
Data security is the digital version of these safes. It ensures that critical backups can always be relied on to rapidly restart a system from the last moment before an infection, it allows organisations to control which user has access to what data and when, and it enables visibility to know what’s happening to data in real-time so unusual activity can be detected immediately.
At a political level, Australia is taking the cyber security problem seriously with the appointment of the first-ever dedicated Cyber Security minister in Clare O’Neil. Banks must do the same, if not to avoid the wrath of the regulator, then surely for the safety of their customers.
Scott Magill, managing director, Rubrik A/NZ