Share this article on:
An assessment of the cyber resilience of Australia’s finance sector has revealed that banks and other financial institutions have much more to do to secure themselves against cyber attacks.
The investigation, conducted by the Australian Prudential Regulation Authority (APRA), will evaluate the cyber resilience of 300 of Australia’s cyber institutions by 2023. Currently, 24 per cent of these have been assessed by APRA.
“Some of the world’s largest brands have fallen victim to major data breaches in recent years,” said APRA.
“Rates of cyber crime have increased, and criminal attacks have become more sophisticated.
“Australia has not been immune; recent, well-publicised cyber attacks are among the largest in the country’s corporate history.”
Classed as “the largest study of its kind to be conducted by APRA”, the assessment tests entities’ compliance with the CPS 234 Information Security Standard.
“The purpose of the standard is to ensure that regulated entities have baseline prevention, detection and response capability to withstand cyber security threats.”
So far, the investigation has discovered a number of gaps in the security practices of these financial organisations, at a time when cyber attacks and losses are at a peak in Australia.
The APRA findings declared the following as key gaps:
As has been demonstrated by the latest wave of cyber attacks, the second gap has proven detrimental to the security of financial institutions.
Supply chain attacks on third-party providers led to the major cyber attack on Latitude Financial, which led to the data of 7.9 million people being stolen.
More recently, the big four banks — ANZ, Commonwealth Bank, National Australia Bank (NAB), and Westpac — all named themselves as victims of the HWL Ebsworth hack.
APRA said that the issue is common and a growing concern as “more and more entities are relying on service providers to manage critical systems”.
The findings come from just the first portion of APRA’s investigation, which the watchdog said will be completed by the end of the year.
“APRA encourages every entity to review those common weaknesses outlined [in the report], along with the prudential standard itself, and incorporate relevant strategies and plans to address shortfalls in their cyber security controls and governance policies,” it said.
For the full report, head to the APRA website.