‘Under siege’ banks warned of ‘tougher’ cyber breach enforcement

Australian Prudential Regulation Authority executive board member Geoff Summerhayes, who has oversight of the general, life and private health insurance sector, revealed on Thursday that banks were “under siege” from cyber security attacks and that a new legally-enforceable information security standard on the financial sector, CPS 234, had uncovered 36 data breaches since it came into effect in July.

Jasmine Vella-Arpaci leaves the Melbourne Magistrates Court. Credit:Chris Hopkins

“Many of those were data breaches involving the disclosure of personal information as a result of human error (such as ‘accidental’ disclosure where an employee emailed a spreadsheet externally which included customer information),” Mr Summerhayes told attendees of the CyBSA 2019 Cyber Breach Simulation Australia.

“Others, more ominously, involved a compromise of staff or customer credentials resulting in the unauthorised manipulation of records, website defacement and fraud.”

APRA regulated institutions would have been subject to “vastly more attempted cyber-attacks”, he said. It’s just that those uncovered were “the ones that succeeded – and that we know about”.

“With some cyber-incidents taking years to detect, it’s entirely possible that one of the banks, insurers or super funds has been compromised and we simply don’t know about it,” he said.

Perhaps more concerning was the fact over 70 per cent of regulated entities self-reported to APRA “compliance gaps” with the new regulation, meaning the regulator would need to “monitor progress in this area closely, seeking an independent assessment of CPS 234 compliance in due course”.

While the number of breaches — from almost 600 entities APRA regulates — wasn’t “cause for undue alarm”, Mr Summerhayes said it did reveal “areas of common weakness” among financial institutions, many of which APRA had “called out repeatedly”.

“For example, we have identified basic cyber hygiene as an ongoing area of concern,” he said.

‘Keys to the kingdom’

How financial institutions control privileged access to their systems was “also troubling”, he said.

“Handing over the ‘keys to the kingdom’ and allowing access to information and systems without tight controls around who exactly has them can only increase an organisation’s exposure to attack.”

As a result of the insights learned from the new regulation, Mr Summerhayes said APRA would be “increasingly challenging entities” in the cyber security space by “utilising data driven insights to prioritise and tailor our supervisory activities”.

“In the longer term, we’ll use this information to inform baseline metrics against which APRA regulated institutions will be benchmarked and held to account for maintaining their cyber defences. We’ve set the floor with CPS 234 and will be enforcing these legally-binding minimum standards in a ‘constructively tough’ manner.

‘Still room for improvement’

Kevin Vanhaelen, Asia-Pacific regional director for cyber security company Vectra AI, said that 36 breaches in four months indicated that there was “still room for improvement”.

“I would bet my bottom dollar that there are more that are yet to be discovered,” Mr Vanhaelen said.

“It takes on average around 200 days before a breach is detected, the majority of which are only discovered after receiving a notification from an external party. With a cyber attack having the ability to put a bank, insurer and super fund out of business, these time frames are simply unacceptable.

“Reducing threat notification and response processes needs to move from weeks or days to minutes.”

with Sarah Danckert and Yan Zhuang

Most Viewed in Business



Related posts

Make a comment