The Standard

The Standard is a bi-monthly publication to snapshot financial services regulatory issues and the opportunity to contribute to policy development and submissions.

Cyber breach could topple finance firm, APRA warns

by Lewis Panther | 14 Nov 2019
It is only a matter of time before a cyber breach forces a financial services firm out of business.

The stark warning from APRA comes as it revealed 36 notifications of breaches in the four months since its CPS 234 standard came into force.

Much more needs to be done with businesses adopting a “assumed breach” mentality, according to APRA Executive Board Member Geoff Summerhayes 

“I say “when”, rather than “if” quite intentionally; not out of pessimism about the scale of the cyber threat, nor scepticism about your organisation’s IT capabilities,” he said.

“But because of APRA’s belief in the importance of organisations adopting an “assumed breach” mentality. 

“It means acting on the basis that your information security defences will, at some point, be compromised by a cyber-adversary, and having the systems and experienced personnel available to repel the attack, re-secure the network and rectify any damage.

“No APRA-regulated entity has experienced a breach material enough to threaten its viability, but I can assure you it’s not for want of trying. 

“We’ve warned repeatedly that it’s only a matter of time until an Australian bank, insurer or superannuation licensee suffers a significant breach that, in a worst case scenario, could force it out of business.”

Summerhayes cited reports about the theft of almost $2 million from Australian superannuation funds and share trading accounts by a group of online hackers as a reminder that there is no room for complacency.

Cyber-adversaries - including some backed by governments - are growing in number and sophistication.

And financial services is proving a rich provider, as reported in InFinance back in September.

The sector was the second-largest victim of data breaches between April and June, according to the Office of the Australian Information Commissioner (OAIC).

That was an embarrassing blow for an industry that had to admit it compromised the private details of 92,000 customers in August  who had their details hijacked through the New Payments Platform’s (NPP) PayID system.

Customers of the big four were affected in an attack similar to a breach of PayID in early June that affected 98,000 customers.

The serious nature of cyber crime is so great that it’s listed alongside espionage and terrorism as the greatest risk to national security.

Summerhayes told the CyBSA 2019 Cyber Breach conference the fact everyone had bank accounts showed just how important security is.

“You all rely on the protection of insurance,” he said.

“You all have your retirement savings invested in superannuation.

“Consequently, APRA’s efforts to shore up the cyber resilience of the entities we regulate matter greatly, not only to you, but to all Australia.

“The number of incidents – most relatively minor – from a reporting population of almost 600 entities isn’t cause for undue alarm, and it supports APRA’s belief that the financial sector broadly handles information security incidents well.”

But APRA has noted weak spots.

“For example, we have identified basic cyber hygiene as an ongoing area of concern,” explained Summerhayes. 

“This includes having systems for which the vendor is no longer providing support or security updates. 

“The lack of a comprehensive security patching regime and poor access management practices are also common. 

“Some institutions still haven’t developed a complete inventory of their information assets within their IT real estate or put in place effective oversight where part of that real estate is managed by third parties.”

Intriguingly, there have been fewer cases where customer data has been compromised in regions where there is a greater amount of digital banking.

OpenText Global Strategist for financial services Monica Hovsepian said that parts of the world where Open Banking was more advanced had less of a problem.

While 35% of Europeans acknowledged their data had been compromised, it was slightly higher in the APAC region where the figure was 39% - and North America suffered the worst breaches with a figure of 43% admitting they had been affected.


Share this