Major cyber breach in finance inevitable

The prudential regulator has unveiled its cyber-security strategy for 2020-24, which seeks to lift security standards and introduce higher accountability where companies fail to meet their requirements.

Speaking to the Financial Services Assurance Forum on Thursday, Mr Summerhayes warned that the financial system is only as resilient to attacks as the “weakest link in the chain”.

“To date, no APRA-regulated bank, insurer or superannuation fund has suffered a material cyber breach, but our view that it’s only a matter of time until a major incident occurs hasn’t changed,” he said.

“For example, too many boards still lack visibility or understanding of the problems, while internal audit functions can lack the specialist skills to challenge boards and management to plug urgent gaps.”

The surge in online activity through the COVID period has presented a “business opportunity” for scammers and the like. During the course of 16 days through March, the Australian Cyber Security Centre received more than 45 pandemic-themed cyber-crime and cyber-security incident reports, while the ACCC’s Scamwatch received more than 100 reports of COVID-themed scams.

While there has been no obvious sign of a rise in adversaries targeting banks, insurers or super funds, Mr Summerhayes said the sector should not be complacent – cautioning it can take months or years for some attacks to be detected.

The Australian financial system has an estimated 17,000 interconnected financial entities, markets and financial market infrastructures that provide products and services to consumers. APRA directly supervises around 680.

The new cyber-security strategy will enable the prudential watchdog to apply a broader set of regulatory tools to cyber, acting with peer regulators and other government agencies, imposing greater accountability on entities that fail to comply with their prudential obligations.

It has three primary focus areas, including establishing a baseline of cyber controls by enforcing non-negotiable cyber practices, better sharing of cyber information and enabling more effective incident response processes.

APRA is also seeking to enable boards and executives to oversee and direct correction of cyber exposures, through practice guidance and cyber-oversight practices.

“Cyber risk is hardly a new threat, yet many boards across our regulated population are still not properly equipped to oversee cyber matters and direct corrective action where necessary,” Mr Summerhayes said.

Internal auditors have also been targeted in the strategy. The regulator has pledged to work with relevant professional bodies such as the Australian Institute of Company Directors, the Risk Management Institute of Australasia and the Institute of Internal Auditors.

Mr Summerhayes reported the regulator had observed audit committees not knowing how to act when cyber exposures are exposed by internal auditors, an audit committee struggling to interpret the severity of cyber-risk findings compared to findings from other areas of the business and internal auditors that don’t conduct a thorough enough investigation into the state of cyber controls.

The third branch of the new strategy will see the regulator target weak links within the broader ecosystem and supply chain – part of which will require it to align its requirements for cyber security with the Reserve Bank and ASIC.