APRA flags tougher stance to get boards to take security seriously
The Australian Prudential Regulation Authority (APRA) has put the boards of banks, insurers and superannuation funds on notice, warning that many of them are still failing to adequately protect their systems from hackers.
Unveiling its updated cyber security on Thursday, the regulator said boards will be required to engage an external audit firm to review if their cyber defences were in line with the CPS 234 standards put in place by APRA last year.
“It’s close to 18 months since CPS 234 came into effect, and we are still seeing too many basic cyber hygiene issues across the industry”, outgoing executive board member Geoff Summerhayes said in a livestreamed speech to the Financial Services Assurance Forum.
“We want compliance independently verified, and we will be applying serious pressure when it’s not forthcoming.” “If boards are unwilling or unable to make the required changes in a timely manner, we will consider using formal enforcement action,” he said.
The new regulations come after recent ransomware attacks significantly impacted media monitoring organisation iSentia and freight company Toll. According to Scamwatch, business email compromise scams have netted crooks a total of $132 million in Australia, while recently Sydney hedge fund Levitas Capital folded after mistakenly paying out $8.7 million to attackers.
Mr Summerhayes said a major attack on a bank was only a matter of time, while Home Affairs Minister Peter Dutton has said cyber attacks on critical infrastructure were on the rise.
He added that the once-off audits were being mandated because while many organisations were reporting positively on their compliance, subsequent reviews almost always uncovered significant weaknesses.
“At one level this exercise is about identifying compliance issues and ensuring they are rectified in the shortest period of time to protect companies and the wider system,” he said. “At another level, it’s sending a message about the seriousness of this issue, and the need for greater accountability.”
APRA’s CPS 234 standards require companies to maintain security capabilities and evaluate the security of third parties, have policies and management plans in place, conduct regular tests, and have mechanisms to notify the regulator and other relevant bodies of incidents as they occur.
Independent security researcher Troy Hunt said phishing and social engineering attacks meant industry-wide changes may be required to keep consumers and investors safe, such as giving more insight into who owns accounts and where money is going.
“How accountable should a financial institution be, if someone is defrauded largely due to being socially engineered? If they say ‘yes I’m going to pay money to this bank account number’, [and it goes to criminals], where’s the accountability lie?”
“All banks get targeted with this, and all banks have customers that are impacted by this, and particularly if we get to the point of intrabank transfers, that fraud cost even on second parties would have to mount up over the course of many different incidents.”
Daniel Lai, chief executive of Canberra-based security tech company archTIS said lax cyber preparedness was a perennial problem for the financial services industry
“There must be a concerted effort to both increase cyber awareness in staff training and practices, as well as ensure that critical systems and disaster recovery protocols are in place, to help ensure Australia’s financial services sector can remain resilient in the face of a persistent, hostile threat.”