Financial institution cyber attack ‘will happen’, APRA chairman Wayne Byres warns
The prudential regulator has issued a bleak assessment about the likelihood of an attack on Australia’s financial institutions.
The prudential regulator says it is only a matter of time before one of the nation’s financial institutions is hit with a cyber attack.
Australian Prudential Regulation Authority chairman Wayne Byres, speaking at an parliamentary committee hearing on Tuesday, said the financial sector had made a “huge amounts of investment” into cyber defence, as he singled out cyber and climate risks as among the biggest challenges facing financial system.
But a cyber attack on one of Australia’s financial institutions “will happen” at some point in the future, he warned. “Financial institutions, at least in a broader context, are quite advanced (in cybersecurity) but what we also know is that, at some point, some sort of event will happen. It doesn’t matter what sort of defences you’ve put in place,” he said.
“As much as we focus on the defences that have been built and making sure defences and controls are as robust as they can be, it’s equally important to be investing in response capabilities so that you identify any breaches quickly, limit the damage and work out how you will respond as efficiently and as promptly as you can.”
Mr Byres, who will step down from the top job at APRA at the end of this month, described cyber risk as “a constant challenge”.
“Unlike many risks that financial institutions deal with … you’ve got an active adversary that is constantly trying to defeat your improved defences. “Our observation would be that across the financial system this is taken very seriously. It’s high on the priority of all boards of all executive teams; there’s a huge amount being put into investment in improving defences, improving detection capabilities, and improving response capacity,” he added.
Last week, S&P Global Ratings warned data breaches remained a major risk for Australia’s banks – in particular some of the country’s regional financial players.
Three years ago, private details of 100,000 Westpac customers were exposed in an attack on its payments platform, while ANZ last year said it was fighting 10 million cyber attacks a month, including phishing attacks.
Cyber and climate risks are among the biggest emerging risks facing the regulator and financial system, said Mr Byres.
“The economic outlook and operating environment in Australia is obviously rapidly evolving. We’ll see frequent natural disasters, elevated geopolitical tensions and cyber threats, as we saw most recently evidenced by the Optus data breach, as well as the lingering impact of the pandemic,” Mr Byres told the committee, referring to the exposure three weeks ago of the personal details of 10 million customers at the telco.
“Those things are all creating volatility in financial markets, increasing cost pressures for all industries and heightening risks in the financial system.
“And all of those pressures are occurring alongside developments in technology and digital innovation, which are rapidly changing business models and the operating landscape.”
Since the disclosure of the Optus breach, the Council of Financial Regulators’ cybersecurity group has been co-ordinating with Treasury and other arms of government to understand the impact on the financial system, and how the system should respond to make sure customers are protected, Mr Byres added.
Mr Byres also told the committee that he advocated for stronger digital identity proofing, noting that a proliferation of varying schemes across the market was “not necessarily a good thing”.
“What have we learned from this Optus exercise (is) we need to get away from some really basic, in many cases still paper based, identity (schemes) into digital, even biometric and other sorts of security (schemes) that are much more robust,” he said.
“At the moment, there are competing digital identity schemes that have been set up. There’s MyGov ID, Australia Post offers a digital identity service and the banks are working on a private sector digital identity that would be used within the financial sector and potentially more broadly.
“So I think everyone can see the merits of the idea … What we don’t yet seem to have cracked is a consensus on how many of those you would have — because I don’t think a proliferation of them is necessarily a good thing — and how we settle on what’s a good system for both the public sector and the private sector to use.”
In a report released last Wednesday, S&P analyst Nico DeLange said the frequency and sophistication of attacks on the banking industry were rising, and the sector “needs to collectively face the challenge and combine efforts to manage the risk”.
For regional banks like Bendigo and Adelaide Bank, Suncorp and Bank of Queensland, a hacking event could have a bigger impact on common equity capital, Mr DeLange said, quoting analysis by assessment firm Guidewire.
The Optus attack has also revived banking industry concerns.
The S&P report highlights noteworthy recent incidents, including ANZ New Zealand’s distributed denial-of-service attack in September last year, the June 2021 network disruptions at US content delivery network provider Akamai, impacting three banks, and the January 2021 breach involving Accellion, a provider to the Australian Securities and Investments Commission.
More Coverage
QBE misled half a million customers, lawsuit alleges
The insurance major is accused of misleading customers on discounts for products including home, contents and car protection.
Why an Aussie banker landed a key role in this succession drama
This former Melbourne boy and Wall Street boss is now in charge of steering Disney through one of the toughest succession stories in corporate America.