Financial industry boards and auditors have been warned cyber security practices will be under increased scrutiny as part of a push to strengthen the sector’s resilience against online threats.
Unveiling APRA’s 2020-24 Cyber Security Strategy at today’s Financial Services Assurance Forum, Geoff Summerhayes flagged tighter cybersecurity standards and accountability for the financial sector.
“We are still seeing too many basic cyber hygiene issues across the industry,” said Summerhayes, an Executive Board member of the Australian Prudential Regulatory Authority.
“Our goals here are to eradicate unnecessary or careless cyber exposures, foster a community of ‘cyber defenders’ that is greater than the sum of its individual parts, and make sure entities are ‘battle ready’ for when breaches inevitably occur.”
Summerhayes was particularly scathing of company boards, saying “Cyber risk is hardly a new threat, yet many boards across our regulated population are still not properly equipped to oversee cyber matters and direct corrective action where necessary. Where boards will leap into action to head off a threat to liquidity or a major credit risk, we don’t see that same sense of confidence and urgency translated to cyber security matters.”
Auditors were also warned they are in the regulator’s crosshairs, Summerhayes warned “a company’s internal audit function should be the eyes and ears of the board into their organisations. However, when it comes to cyber, the eyesight is often blurry and the hearing dull. Internal audit functions in many APRA-regulated entities lack sufficient cyber skill sets, are under-resourced, and methodologies are under-developed."
The strategy follows APRA updating information security standards for the financial industry last year with a greater emphasis on testing systems, defining responsibilities and notifying the regulator of breaches.
Summerhayes cited the cyberattacks that crippled the Toll Group – which had 200Gb of data released on the dark web after the logistics company’s systems were disrupted – and, more recently media monitoring service, Isentia which had its key customer platform disabled, as worst case examples of what can go wrong.
In his announcement, Summerhayes said the Toll Group’s travails, which affected national supply chains, was an example of the interdependence of modern systems and the importance of the financial system to the economy.
“As a company specialising in logistics, freight transport and express delivery services, the impact of the two ransomware attacks was felt far more widely than the affected company, as the thousands of clients experienced major delays in tracking and receiving deliveries.
“The impact would have been more damaging again had the victim been a critical infrastructure provider, such as a telecommunications company, an energy generator – or a major financial institution.”
The new strategy looks to ensuring the Australian financial system can stand firm against cyber attacks, said Summerhayes.
“At the heart of the new strategy is recognition that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers.
“APRA only directly supervises around 680 of these, yet we know that a cyber breach in any part of the system – such as an insurance broker, a credit ratings agency, an IT service provider or ATM repair service – can have a cascading impact on the whole system.
“To better address this gap, our new Cyber Security Strategy will see APRA apply a broader set of regulatory tools and techniques to cyber, acting in concert with peer regulators and other government agencies, and imposing greater accountability on entities that fail to adequately comply with their prudential obligations.”
APRA’s strategy will focus on three key areas; establishing a baseline of controls, stepping up oversight of ‘cyber exposures’, and addressing weak links across the broader financial ecosystem.
Summerhayes also warned audits are on the way for market participants, saying “I can announce today that APRA will shortly be requesting one-off tripartite independent cyber security reviews across all our regulated industries.
“Starting next year, APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 compliance and report back to both APRA and the board. We haven’t made a final determination on which entities this will apply to, but all entities should prepare accordingly.”
APRA’s cyber strategy follows the Federal government launching its roadmap in August which included $1.6bn spending over ten years.
Summerhayes flagged APRA’s efforts will dovetail into other agencies’ work, concluding in his speech “we are all – governments, regulators, organisations and individuals – links in a chain – and we are in this battle together.
“By sharing information and expertise, pooling resources and taking prompt action to plug gaps and fix weak links, we create a community of cyber defenders that is greater than the sum of its parts. In doing so, we help to keep the chain as strong as possible, and lock out those who would do us harm.”