Cyber security is one of the biggest threats facing the Australian financial sector and should be at the "very top" of the risk registers of Australian companies, according to APRA chair Wayne Byres.

The boss of the Australian Prudential Regulation Authority (APRA), in a speech to the Committee for the Economic Development of Australia on Wednesday, listed cyber as one of the organisation’s key areas of focus.

“Cyber presents arguably the most difficult prudential’s driven by malicious and adaptive adversaries who are intent on causing damage,” Byres said. “Cyclones and bushfires can be devastating, but they’re not doing it on purpose.

“There will be few organisations that don’t have cyber near the very top of their risk registers. It’s also high on ours.”

Cyber security in the financial sector is extremely important for Australia, but the huge number of organisations in play make this difficult, with teamwork needed to improve security across the board, Byres said.

“The financial sector is a piece of core economic infrastructure for the country, and its cyber defences are therefore of great importance,” he said.

“However, the Australian financial system is an ecosystem of many thousands of interconnected financial entities, markets and infrastructure - not to mention all of the related service providers. The system is only as strong as its weakest link, but APRA only directly supervises around 680 of these.”

“Working collectively to share intelligence, pool resources and respond quickly to plug gaps and fix weak links are essential tactics to keep adversaries at bay.”

APRA released its Cyber Security Strategy in November last year, with three primary focus areas. These included establishing a baseline of cyber controls, enabling boards and executives of financial institutions to oversee and direct correction of cyber exposures, and rectifying weak links within the broader financial ecosystem and supply chain.

The strategy also details how APRA will work closely with other arms of government, including the Council of Financial Regulators, national security agencies and the Department of Home Affairs.

Byres said there is a need to “move with speed” to tackle the issue of cyber security in the financial sector head on.

He said APRA has already begun work to finalise a process of independent cyber security reviews across all of the APRA-regulated industry and is close to finishing an initial assessment process with nine pilot entities.

With information from these pilots, APRA will then embark on a 12-month period where it will ask all APRA entities to conduct independent assessments in order to establish a baseline of assurance across the entire system.
The organisation is also piloting a new data collection exercise on technology and cyber risks and working on a more active cyber defence testing regime in partnership with the Council of Financial Regulators’ agencies.

APRA is looking to enlist specialist expertise to “actively probe for gaps and weaknesses” in institutions’ cyber defences, using the tools and techniques that are being used by the real-word cyber adversaries.

APRA’s 2020-24 Cyber Security Strategy flagged stricter cyber security standards and accountability for the financial sector.

Unveiling the strategy, APRA executive board member Geoff Summerhayes was critical of company boards.

“Cyber risk is hardly a new threat, yet many boards across our regulated population are still not properly equipped to oversee cyber matters and direct corrective action where necessary,” Summerhayes said in November last year.

“Where boards will leap into action to head off a threat to liquidity or a major credit risk, we don’t see that same sense of confidence and urgency translated to cyber security matters.”

The financial regulator also updated its information security standards in 2019 with more emphasis on testing systems, defining responsibilities and notifying the regulator of breaches.