In recent years, Australia’s financial sector has witnessed fallout from a series of severe, high-profile cybersecurity and data breaches. These include a significant cyber-attack last October at health insurer, Medibank, which saw the personal information of nearly ten million users fall into wrong hands, and a data breach in March 2023 at consumer lending business, Latitude Financial, which impacted over 14 million users in the Oceania region.
These events have triggered a desire for greater regulatory oversight, and to this end, the Australian Prudential Regulation Authority (Apra) is implementing updated CPS 230 Prudential Standards – a framework that governs the Australian market and targets effective operational risk management by banks, insurers and superannuation trustees.
The new set of standards were drafted in July 2022 and will come into effect from July 2025. Before this, entities regulated by Apra will be granted a transitional period during which they are encouraged to identify crucial operators and material service providers to support them with the new governance arrangements, before subsequently adhering to the new rules.
During a speech in August, Apra executive board member, Therese McCarthy Hockey, highlighted the importance of operational resilience and underlined the urgency with which financial institutions need to take action. She explained that the new standards are “designed to light a fire” under Apra-regulated entities to take action and overhaul their processes.
However, while the regulator may see room for improvement across governance and compliance, Australia is ahead of other Asia Pacific (Apac) markets in terms of overall regulatory landscape, according to Richard Bergman, global cyber transformation leader at consulting firm, Ernst & Young (EY), who spoke with FinanceAsia.
“CPS 230 elevated the focus of leadership on management of cybersecurity risk. [As a result,] we have seen an increase in investment to meet those regulatory obligations. For example, mandatory data breach notification and third-party risk have become a big focus as part of companies’ regulatory compliance efforts,” he explained.
Moreover, the CPS 230 requirements build on other regulatory reforms that financial institutions in Australia have had to adapt to. Last year, amendments were made to the 2018-issued Security of Critical Infrastructure Act (Soci Act) requiring market participants to maintain a critical infrastructure risk management programme, and for any operators of critical assets – or “systems of national significance” to implement enhanced cyber security capabilities.
In December 2022, the Australian government announced the development of a 2023-2030 Australian Cyber Security Strategy, updates around which Bergman believes will likely be announced in late November. He expects these to include an enhanced regulatory framework and updated regulation around device security, for instance.
“There will be a bigger expectation placed on directors and their obligations around cybersecurity and managing cyber risks going forward,” he said.
Mindset shift
Rachel Riley, co-founder and head of strategic operations at Sydney-headquartered governance risk compliance (GRC) software provider, Ansarada, told FA that these regulatory developments could revolutionise Australia’s traditional risk management landscape.
“[They] seek to go beyond cybersecurity frameworks to highlight the importance of operational resilience as a whole,” she said.
She cited as an example Apra’s Prudential Standard CPS 234, which took effect in 2019 and targeted the cybersecurity controls of Australia’s financial institutions.
In a recent assessment of the programme’s efficacy, Apra revealed that a great number of institutions struggled to meet its proposed resilience standards. Common gaps included incomplete identification and classification of critical and sensitive information assets, and limited assessment of third-party information security capability.
The report noted that “there is a need to raise the bar”, while in her speech, board member, Hockey, shared that Apra is “rapidly running out of patience” when it comes to incompliance.
Traditionally, Riley suggested, C-suites in the Australian market take a somewhat siloed approach to cybersecurity, solely viewing related risks as compliance requirements and refusing to spend more to address them. Breaking down the silos, she said, would be the most difficult task.
“Establishing operational resilience requires leaders to take an inside-out perspective, identifying processes critical to key products and operations. Decision makers should have a view of what their key services are, and what resources these rely on,” Riley explained.
“The more that different teams in an institution are able to work together to understand critical risks and run scenario testing, the more such compliance measures will permeate across the whole business. This is huge opportunity to review operations from a resilience perspective.”
Intensifying threats
It is likely that the number of successful cyber-attacks both in Australia and the wider Apac region will increase in 2024, said Bergman from EY.
Among these, business email compromise (BEC) and ransomware attacks are the two most common types of cybercrime in Australia, he noted.
BEC refers to phishing attacks targeting an institution’s finance functions through scam emails for money transfer or confidential information leaks. Meanwhile ransomware attacks lock up a victim organisation’s system or involve threats to publish secure data, unless a ransom is paid in prevention.
“We are going to see an increase in average size of ransomware payments and more people paying ransomware, as threat actors become more capable of disrupting the fundamentals of business operations,” he explained.
Bergman’s team has also observed heightened risk of third party attack, where threat actors target fintech organisations who work with larger financial services institutions. He stressed that even for boutique services providers in the space, there is real risk of being targeted as a result of client links – not only stored data.
This is a trend that is also witnessed across the global arena. EY’s recent 2023 Global Cybersecurity Leadership Insights Study into the digital security experiences of 500 C-suite and cybersecurity leaders across 25 market, revealed that the known number of cyber-attacks had increased by 75% over the past five years. Costs associated with ransomware issues are predicted to breach $265 billion by 2031, up from just $20 billion, in 2021.
The report revealed that respondents based in Asia iconsider “cloud use at scale” to be the top threat-enabling technology impacting the finance industry. 81% of Apac respondents, compared to 74% in Americas and 63% in Europe, the Middle East, India and Africa (EMEIA), said that they were concerned about the threats presented as a result of access to the cloud.
“One third of data breaches happened because of misconfiguration on cloud by human error. On the other hand, some companies leave cloud environments insecure because they focus on trying to innovate and get new products to market,” Bergman explained.
Although operating and moving to cloud at scale can provide numerous benefits such as migration from legacy systems, doing so in itself can create security vulnerabilities. To eliminate any concerns brought by cloud systems, institutions should modernise their platforms in a secure-by-design fashion, he suggested.
