APRA Forces Finance Industry to Take Cybersecurity Seriously

APRA Forces Finance Industry to Take Cybersecurity Seriously
A workman is stumped while he erects the Australian Stock Exchange board in Melbourne, Australia, 28 August 2006. AFP/Getty Images
Daniel Y. Teng
Updated:

An Australian financial regulator has put its foot down on cybersecurity forcing banks, insurers, and superannuation funds to take tougher measures to protect their systems.

From next year, APRA will require financial institutions to complete external audits of their cybersecurity systems. The goal being to “send a message” across the wider industry about the seriousness of cyber threats, and to also ensure there are no gaps in existing systems.

Geoff Summerhayes, executive board member of the Australian Prudential Regulation Authority (APRA), warned that 17,000 financial entities in the country were part of an interconnected “ecosystem” and one breach could potentially snowball across the industry.

“We know that a cyber breach in any part of the system–such as an insurance broker, a credit ratings agency, an IT service provider or ATM repair service–can have a cascading impact on the whole system,” he told an online session of the Financial Services Assurance Forum on Thursday.
Two people use National Australia Bank (NAB) ATMs in Melbourne on May 2, 2019(William West/AFP via Getty Images)
Two people use National Australia Bank (NAB) ATMs in Melbourne on May 2, 2019William West/AFP via Getty Images
Summerhayes said last year APRA supervisors reached out to financial entities asking if they were compliant with CPS 234–an industry set of standards to ensure cybersecurity was airtight and could protect consumers and data from outside threats.

Many institutions spoke positively about their compliance with CPS234.

“Yet when our IT Risk specialist team has conducted cyber reviews of some of these entities, we’ve discovered significant weaknesses in every instance, in areas such as testing programs, control environments and incident response capabilities,” Summerhayes said.

In the future, if a company’s cybersecurity has serious flaws, APRA will force the entity to “issue a breach notice and create a rectification plan.”

“If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action,” Summerhayes said.

Matt Warren, professor of cybersecurity at the Royal Melbourne Institute of Technology, welcomed the tough measures saying they were a necessity.

A pedestrian, reflected in a window of the Australian Securities Exchange (ASX), looks at a screen showing financial data in Sydney on September 5, 2018. - (Saeed Khan/AFP via Getty Images)
A pedestrian, reflected in a window of the Australian Securities Exchange (ASX), looks at a screen showing financial data in Sydney on September 5, 2018. - Saeed Khan/AFP via Getty Images

“APRA is taking the right step. The banking and financial sector is key to Australia’s economic wellbeing, and banks and financial organisations have to be in a position to protect their data and customer data,” he told The Epoch Times.

“The key issue is that cybersecurity is a business risk and the responsibility of the board or organisations and APRA is reinforcing that,” he said.

Cybersecurity has become a major issue in recent months following a June announcement by the prime minister that Australia was under sustained attack from “sophisticated state-based cyber actor.”

There have also been a series of cybersecurity breaches targeting the health sector, business supply chains, universities, airports, state governments, and the Federal Parliamentary Network.
The incidents have prompted Prime Minister Scott Morrison to elevate cybersecurity to a cabinet-level role in the Home Affairs Department next month.
Daniel Y. Teng
Daniel Y. Teng
Writer
Daniel Y. Teng is based in Brisbane, Australia. He focuses on national affairs including federal politics, COVID-19 response, and Australia-China relations. Got a tip? Contact him at [email protected].
twitter
Related Topics