COVID has affected oversight: APRA
The prudential regulator has admitted that remote monitoring has diminished the effectiveness of its oversight with financial institution.
The prudential regulator has admitted that remote monitoring has diminished the effectiveness of its oversight with financial institutions, as it detailed cybersecurity cracks in the sector’s operational resilience through the COVID-19 pandemic, including employees sending sensitive data to their own personal emails.
In its latest quarterly insight report into the financial services industry, APRA homed in on how the nation’s banks, insurers and super funds were coping through the crisis, as well as its own supervision challenges and the liquidity in the super system through the government’s early access scheme.
The regulator’s assessment found that, to date, the financial industry had weathered the COVID-19 storm well, but cautioned that the pandemic had exposed weaknesses in operational resilience.
“In Australia, federal and state government health restrictions compelled the majority of entities’ staff to work from home. This introduced new concerns, including the capacity of Virtual Private Networks to support remote working, and the security of information accessed in the home environment,” the regulator said.
“Some larger entities observed increases in ‘accidental data breaches’, such as employees sending sensitive data to their personal email to allow for printing.”
Overseas lockdowns, meanwhile, affected third-party service providers, including offshore call centres, leading to some institutions breaching their service level agreements, it noted.
“Even after COVID-19, it seems unlikely that entities will go back to all of their previous offshoring arrangements, as they look at automating their processing, and reducing their dependency on overseas suppliers,” it said.
While noting IT system stability had been at historically high levels during the crisis, APRA flagged that this may be due to institutions putting a freeze on system changes.
“This introduces a backlog of work that will need to be completed at a later date, which may result in decreases in system stability in the future,” the regulator said.
“In addition, less critical security patches may be deferred by entities, increasing information security vulnerabilities over time if the backlog is not addressed.”
The COVID-19 disruption had created new avenues for cyber-attacks, including websites that imitate government or national health websites and provide false information, and pandemic-related aid phishing campaigns, it said.
The early super access scheme, which allows people to pull up to $20,000 from their retirement savings as part of the government’s support package measures, has been popular among scammers, with the AFP investigating at least 150 cases of identity fraud related to the program.
Implementation of the early release scheme was generally well managed by the superannuation industry, APRA noted, as it pointed to the difficulty some trustees had in accurately estimating their short-term cash requirements.
“This led to some trustees holding cash allocations significantly above their target levels, and also movement in the actual asset allocation for other asset classes,” it said. “These shifts in the weighting of actual asset allocations away from target allocation will need to be corrected over the near to medium term.”
Meanwhile, it said phone and video meetings with banks and insurers had posed a challenge.
“Without the benefit of face-to-face engagement, supervisors needed to adopt a more formal structure and couldn’t rely on their usual, more free-flowing, dialogue,” it said.
“Not being able to read the ‘mood of the room’ has diminished the effectiveness of some engagements — for both the entity and APRA’s supervision team.”
APRA said it would still use virtual prudential meetings with institutions even after COVID-19 subsided, citing the benefit of being able to schedule meetings at short notice, but added that the need for face-to-face supervision would remain, “as there is no substitute for ‘eyeballing the institution’,” it said.
More Coverage
Why global money is rethinking ‘anything but China’ trade
Big investors are preparing to play in China again, but the wild swings are not for the faint hearted.
Country’s biggest super fund to cop $27m fine
Superannuation members with multiple accounts tend to be the least well off and work multiple jobs, a court has heard as the country’s biggest superannuation scheme is set to pay a record fine over its alleged conduct.