APRA takes aim at banks over poor cyber security

The nation’s banks have been put on notice over slack cyber security and told action will be taken if they don’t sharpen up.

Cliona O'Dowd

APRA board member Geoff Summerhayes. Picture: Aaron Francis

2 min read

2:35PMNovember 26, 2020.

Updated 6:31PMNovember 26, 2020

The prudential regulator has put the nation’s banks on notice over lax cyber security practices, saying boards should apply the same urgency to cyber risks as they do to credit and liquidity threats.

As part of a new four-year cyber strategy through to 2024, APRA says it will take a more targeted approach to ensure financial institutions are complying with the prudential standard on cyber security. It will also hold boards and management accountable where there are breaches, APRA executive board member Geoff Summerhayes said in a speech to the Financial Services Assurance Forum on Thursday.

The new strategy comes as cyber risks are on the rise, in part due to the rapid transition to online and remote working arrangements due to COVID-19, Mr Summerhayes said.

“In prioritising their ability to keep operating, many of the entities we regulate needed to make compromises to their normal information security protocols to facilitate the sudden switch to remote work arrangements for most or all employees.

“Very few entities have gone back to firmly close the gates they left ajar in March,” he told the forum.

Mr Summerhayes also flagged that APRA would soon request one-off independent cyber security reviews across all of its regulated industries.

“Starting next year, APRA will be asking boards to engage an external audit firm to conduct a thorough review of their CPS 234 (the prudential standard on cyber security) compliance and report back to both APRA and the board.

“We haven’t made a final determination on which entities this will apply to, but all entities should prepare accordingly,” he said.

The order from APRA comes after the regulator found discrepancies between disclosures from financial institutions on their compliance of the rules and what its own IT risk specialist team found when it conducted reviews of the entities.

At the end of last year, APRA asked financial services firms if they were complying with the cyber security standard. Around 100 entities confessed to shortcomings and requested more time, but most provided generally positive accounts of their compliance status, the regulator said.

“Yet when our IT risk specialist team has conducted cyber reviews of some of these entities, we’ve discovered significant weaknesses in every instance, in areas such as testing programs, control environments and incident response capabilities.”

The looming independent reviews and audits are about identifying and quickly fixing compliance issues but will also act as a message about the seriousness of the issue, and the need for greater accountability for meeting what are now legal obligations, Mr Summerhayes said.

APRA is no longer prepared to trust boards and “simply take their word for it”, he warned.

“Where gaps are sufficiently material, we will consider forcing entities to issue a breach notice and create a rectification plan.

“If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action,” he said.

Australian companies hit with cyber attacks this year include logistics group Toll and media monitoring outfit Isentia.

Toll was in January subjected to a devastating ransomware attack that resulted in delayed deliveries and saw customer systems offline until early March.

Hackers breached its IT systems again in May and subsequently posted batches of the stolen private data on the dark web.